Arbitrary File Upload Vulnerability in WP E-commerce CSV Importer
Someone reported to us that our Plugin Vulnerabilities Firewall had blocked an attempt to exploit what turned out to be an arbitrary file upload vulnerability in the plugin WP E-commerce CSV Importer. The blocked request was sent to the plugin’s file /upload/upload-file.php. The relevant code that allows arbitrary file uploads in the file is this:
2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$uploaddir = "../../../uploads/wpsc/product_images/"; $file = $uploaddir . basename($_FILES['uploadfile']['name']); $type = $_FILES["uploadfile"]["type"]; $size=$_FILES['uploadfile']['size']; if($size>1048576) { echo "error file size > 1 MB"; unlink($_FILES['uploadfile']['tmp_name']); exit; } $newfile = "../../../uploads/wpsc/product_images/thumbnails/" . basename($_FILES['uploadfile']['name']); if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) { |
if($size>1048576)
{
echo "error file size > 1 MB";
unlink($_FILES['uploadfile']['tmp_name']);
exit;
}
$newfile = "../../../uploads/wpsc/product_images/thumbnails/" . basename($_FILES['uploadfile']['name']);
if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) { [Read more]