Roundup: [oss-security] Remote file upload vulnerabilities in multiple wordpress plugins

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000004037

• File Search: https://search.nix.gsc.io/?q=wordpress&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=wordpress+in%3Apath&type=Code

Should the search term be changed from wordpress? Suggest a new package search by commenting:

-suggested:wordpress +suggested:correctPackageName thread:0000000000004037

Known CVEs: CVE-2017-1002000, CVE-2017-1002001, CVE-2017-1002002, CVE-2017-1002003

---

Skip to End

Mon, 06 Mar 2017 12:32:30 -0500 "Larry W. Cashdollar" , 4EBCE262-F53E-4DAC-90E4-913D8E81C063@me.com

Hello,

All of these plugins include unlicensed software developed by http://www.invedion.com/ that is vulnerable, I am unable to get 
more details from the vendor as to what the software name and version are and therefor can't issue a CVE for just
that software.  I've issued CVEs for the impacted plugins I know of:

CVE-2017-1002000
Remote file upload vulnerability in Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0
Example: http://example.com/wordpress/wp-content/plugins/mobile-friendly-app-builder-by-easytouch/server/images.php
http://www.vapidlabs.com/advisory.php?v=179

CVE-2017-1002001
Remote file upload vulnerability in Wordpress Plugin mobile-app-builder-by-appress v1.05
Example: http://example.com/wordpress/wp-content/plugins/mobile-app-builder-by-wappress/server/images.php
http://www.vapidlabs.com/advisory.php?v=180

CVE-2017-1002002
Remote file upload vulnerability in Wordpress Plugin webapp-builder v2.0
Example: http://example.com/wordpress/wp-content/plugins/webapp-builder/server/images.php
http://www.vapidlabs.com/advisory.php?v=181

CVE-2017-1002003
Remote file upload vulnerability in Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4
Example: http://example.com/wordpress/wp-content/plugins/wp2android-turn-wp-site-into-android-app/server/images.php
http://www.vapidlabs.com/advisory.php?v=182

@muntopia provided an exploit for all of them here:
https://github.com/alienwithin/Scripts-Sploits/blob/master/zen_app_mobile_wp_rfu.py

Skip to End

---

[Mic92]

unstable: we don't have it packaged 17.03: we don't have it packaged 16.09: we don't have it packaged