Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928852 (2018-07-26 18:54:24)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::filesize
Risk _SERVER
/photo-video-store/templates/upload_files_jquery2.php:1069 (show/hide source)
1049  			{
1050  				echo fread( $handle, $chunk_size );
1051  				ob_flush();
1052  				flush();
1053  			}
1054  			fclose( $handle );
1055  			return $file_size;
1056  		}
1057  		return readfile( $file_path );
1058  	}
1059  
1060  	protected function body( $str ) {
1061  		echo $str;
1062  	}
1063  
1064  	protected function header( $str ) {
1065  		header( $str );
1066  	}
1067  
1068  	protected function get_server_var( $id ) {
1069 return isset( $_SERVER[$id] ) ? $_SERVER[$id] : '';
1070 } 1071
Threat level 0

Callstack:

UploadHandler::get_file_size /photo-video-store/templates/upload_files_jquery2.php:289 (show/hide source)
269  
270  	// Fix for overflowing signed 32 bit integers,
271  	// works for sizes up to 2^32-1 bytes (4 GiB - 1):
272  	protected function fix_integer_overflow( $size ) {
273  		if ( $size < 0 ) {
274  			$size += 2.0 * ( PHP_INT_MAX + 1 );
275  		}
276  		return $size;
277  	}
278  
279  	protected function get_file_size( $file_path, $clear_stat_cache = false ) {
280  		if ( $clear_stat_cache ) {
281  			if ( version_compare( PHP_VERSION, '5.3.0' ) >= 0 )
282  			{
283  				clearstatcache( true, $file_path );
284  			} else
285  			{
286  				clearstatcache();
287  			}
288  		}
289 return $this->fix_integer_overflow( filesize( $file_path ) );
290 } 291
UploadHandler::get_unique_filename /photo-video-store/templates/upload_files_jquery2.php:441 (show/hide source)
421  
422  	protected function upcount_name_callback( $matches ) {
423  		$index = isset( $matches[1] ) ? intval( $matches[1] ) + 1 : 1;
424  		$ext = isset( $matches[2] ) ? $matches[2] : '';
425  		return ' (' . $index . ')' . $ext;
426  	}
427  
428  	protected function upcount_name( $name ) {
429  		return preg_replace_callback( '/(?:(?: \(([\d]+)\))?(\.[^.]+))?$/', array( $this,
430  				'upcount_name_callback' ), $name, 1 );
431  	}
432  
433  	protected function get_unique_filename( $file_path, $name, $size, $type, $error,
434  		$index, $content_range ) {
435  		while ( is_dir( $this->get_upload_path( $name ) ) ) {
436  			$name = $this->upcount_name( $name );
437  		}
438  		// Keep an existing filename if this is part of a chunked upload:
439  		$uploaded_bytes = $this->fix_integer_overflow( intval( $content_range[1] ) );
440  		while ( is_file( $this->get_upload_path( $name ) ) ) {
441 if ( $uploaded_bytes === $this->get_file_size( $this->get_upload_path( $name ) ) )
442 { 443 break;
UploadHandler::get_file_name /photo-video-store/templates/upload_files_jquery2.php:498 (show/hide source)
478  			// Adjust incorrect image file extensions:
479  			if ( ! empty( $extensions ) )
480  			{
481  				$parts = explode( '.', $name );
482  				$extIndex = count( $parts ) - 1;
483  				$ext = strtolower( @$parts[$extIndex] );
484  				if ( ! in_array( $ext, $extensions ) )
485  				{
486  					$parts[$extIndex] = $extensions[0];
487  					$name = implode( '.', $parts );
488  				}
489  			}
490  		}
491  		return $name;
492  	}
493  
494  	protected function get_file_name( $file_path, $name, $size, $type, $error, $index,
495  		$content_range ) {
496  		return $this->get_unique_filename( $file_path, $this->trim_file_name( $file_path,
497  			$name, $size, $type, $error, $index, $content_range ), $size, $type, $error, $index,
498 $content_range );
499 } 500
UploadHandler::handle_file_upload /photo-video-store/templates/upload_files_jquery2.php:992 (show/hide source)
972  				{
973  					$file->size = $this->get_file_size( $file_path, true );
974  				}
975  			} else
976  			{
977  				$failed_versions[] = $version ? $version : 'original';
978  			}
979  		}
980  		if ( count( $failed_versions ) ) {
981  			$file->error = $this->get_error_message( 'image_resize' ) . ' (' . implode( $failed_versions,
982  				', ' ) . ')';
983  		}
984  		// Free memory:
985  		$this->destroy_image_object( $file_path );
986  	}
987  
988  	protected function handle_file_upload( $uploaded_file, $name, $size, $type, $error,
989  		$index = null, $content_range = null ) {
990  		$file = new stdClass();
991  		$file->name = $this->get_file_name( $uploaded_file, $name, $size, $type, $error,
992 $index, $content_range );
993 $file->size = $this->fix_integer_overflow( intval( $size ) ); 994 $file->type = $type;
UploadHandler::post /photo-video-store/templates/upload_files_jquery2.php:1234 (show/hide source)
1214  			return $this->delete( $print_response );
1215  		}
1216  		$upload = isset( $_FILES[$this->options['param_name']] ) ? $_FILES[$this->
1217  			options['param_name']] : null;
1218  		// Parse the Content-Disposition header, if available:
1219  		$file_name = $this->get_server_var( 'HTTP_CONTENT_DISPOSITION' ) ? rawurldecode( preg_replace
1220  			( '/(^[^"]+")|("$)/', '', $this->get_server_var( 'HTTP_CONTENT_DISPOSITION' ) ) ) : null;
1221  		// Parse the Content-Range header, which has the following form:
1222  		// Content-Range: bytes 0-524287/2000000
1223  		$content_range = $this->get_server_var( 'HTTP_CONTENT_RANGE' ) ? preg_split( '/[^0-9]+/',
1224  			$this->get_server_var( 'HTTP_CONTENT_RANGE' ) ) : null;
1225  		$size = $content_range ? $content_range[3] : null;
1226  		$files = array();
1227  		if ( $upload && is_array( $upload['tmp_name'] ) ) {
1228  			// param_name is an array identifier like "files[]",
1229  			// $_FILES is a multi-dimensional array:
1230  			foreach ( $upload['tmp_name'] as $index => $value )
1231  			{
1232  				$files[] = $this->handle_file_upload( $upload['tmp_name'][$index], $file_name ?
1233  					$file_name : $upload['name'][$index], $size ? $size : $upload['size'][$index], $upload['type'][$index],
1234 $upload['error'][$index], $index, $content_range );
1235 } 1236 } else {
UploadHandler::initialize /photo-video-store/templates/upload_files_jquery2.php:182 (show/hide source)
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166  			$this->initialize();
167  		}
168  	}
169  
170  	protected function initialize() {
171  		switch ( $this->get_server_var( 'REQUEST_METHOD' ) ) {
172  			case 'OPTIONS':
173  			case 'HEAD':
174  				$this->head();
175  				break;
176  			case 'GET':
177  				$this->get();
178  				break;
179  			case 'PATCH':
180  			case 'PUT':
181  			case 'POST':
182 $this->post();
183 break; 184 case 'DELETE':
UploadHandler::__construct /photo-video-store/templates/upload_files_jquery2.php:166 (show/hide source)
146  				// Make sure that this directory doesn't allow execution of files if you
147  				// don't pose any restrictions on the type of uploaded files, e.g. by
148  				// copying the .htaccess file from the files directory for Apache:
149  				//'upload_dir' => dirname($this->get_server_var('SCRIPT_FILENAME')).'/thumb/',
150  				//'upload_url' => $this->get_full_url().'/thumb/',
151  				// Uncomment the following to force the max
152  				// dimensions and e.g. create square thumbnails:
153  				//'crop' => true,
154  				'max_width' => 80,
155  				'max_height' => 80
156  				)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166 $this->initialize();
167 } 168 }