Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928874 (2018-07-26 18:58:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::move_uploaded_file
Risk _FILES
/photo-video-store/includes/functions/functions.php:3961 (show/hide source)
3941  
3942  /**
3943   * The function gets filename and file extention
3944   *
3945   * @param  string $filename - file path.
3946   * @param  string $type filename or extention.
3947   * @return string filename or extention
3948   */
3949  function pvs_get_file_info( $filename, $type )
3950  {
3951  	$fname = "";
3952  	$nf = explode( ".", $filename );
3953  	$fext = $nf[count( $nf ) - 1];
3954  
3955  	for ( $i = 0; $i < count( $nf ) - 1; $i++ )
3956  	{
3957  		if ( $fname != "" )
3958  		{
3959  			$fname .= ".";
3960  		}
3961 $fname .= $nf[$i];
3962 } 3963
Threat level 0

Callstack:

@INLINE::/photo-video-store/templates/profile_document_upload.php /photo-video-store/templates/profile_document_upload.php:55 (show/hide source)
35  		$file_filename = pvs_get_file_info( $_FILES["document_file"]['name'], "filename" );
36  		$file_extention = strtolower( pvs_get_file_info( $_FILES["document_file"]['name'],
37  			"extention" ) );
38  
39  		if ( ( $file_extention == "jpg" or $file_extention == "pdf" ) and ! preg_match( "/text/i",
40  			$_FILES["document_file"]['type'] ) ) {
41  			$sql = "insert into " . PVS_DB_PREFIX .
42  				"documents (id_parent,title,user_id,status,filename,data,comment) values (" . ( int )
43  				$_POST["document_type"] . ",'" . $rs->row["title"] . "'," . get_current_user_id() .
44  				",0,'" . $file_filename . "." . $file_extention . "'," . pvs_get_time( date( "H" ),
45  				date( "i" ), date( "s" ), date( "m" ), date( "d" ), date( "Y" ) ) . ",'')";
46  			$db->execute( $sql );
47  
48  			$sql = "select id from " . PVS_DB_PREFIX . "documents where user_id=" . ( int )
49  				get_current_user_id() . " order by data desc";
50  			$ds->open( $sql );
51  			$id = $ds->row["id"];
52  
53  			$img = "/content/users/doc_" . $id . "_" . $file_filename . "." . $file_extention;
54  			move_uploaded_file( $_FILES["document_file"]['tmp_name'], pvs_upload_dir() .
55 $img );
56 } 57 }