‫ WordPress MegaThemes Themes Arbitrary File Upload Vulnerability

IRCAD2012062000
ID:IRCAD2012062000
Release Date: 2012-06-18
Criticality level: Highly critical
Software:
WordPress Deep Blue Theme 1.x
WordPress Famous Theme 2.x
 
Description:
A vulnerability has been discovered in the Famous and Deep Blue themes for WordPress, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the wp-content/themes/famous/megaframe/megapanel/inc/upload.php and wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php scripts allowing the upload of files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.
The vulnerability is confirmed in Famous theme version 2.0.5 and Deep Blue theme version 1.9.2. Other versions may also be affected.
 
Solution:
Restrict access to the wp-content/themes/famous/megaframe/megapanel/inc/upload.php or wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php script (e.g. via .htaccess).
 
References:
 
Secunia:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 30 خرداد 1391

امتیاز

امتیاز شما
تعداد امتیازها:0