WP-Filemanager <=1.2 — Arbitrary File Upload

Posted by Philipp

January 8, 2008

The H-T Team have reported a vulnerability in WP-Filemanager.

***No proof of concept available***

The vulnerability is suppose to affect version 1.2. It may also affect earlier versions (in fact, this is likely). It is possible for an Attacker to upload Arbitrary PHP-Code, which can afterwards be executed with Webserver rights.

Currently there’s no vendor fix available. BlogSecurity recommend that users disable and remove the Plugin until a fix is available.

For the original Bug Disclosure visit SecurityFocus.

Advisories, Alerts, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments

Comment by MustLive on January 10, 2008 @ 7:12 pm

PoC is available at milw0rm.com (from 6th of January).

Wordpress Plugin Wp-FileManager 1.2 Remote Upload Vulnerability
http://www.milw0rm.com/exploits/4844

So users of this plugin need to fix it or to disable it until fix will be released.

WP-Filemanager <=1.2 — Arbitrary File Upload

Random Posts

Comments

Leave a comment

Search

Archives

Categories

Recent Posts

Secure WordPress

Have your say!