WPtouch 3.4.5 Shell Upload Vulnerability | ww.wp.xz.cn

tim.tai
(@timtai)

11 years, 9 months ago

Hi, it looks like there is a high risk vulnerability in version 3.4.5, is it addressed in 3.4.6? i didn’t see it in change log.

here is the detail:
http://packetstormsecurity.com/files/128004/wpwptouchmobile-shell.txt

Thanks,
Tim

https://ww.wp.xz.cn/plugins/wptouch/

Viewing 1 replies (of 1 total)

Martin Kuplens-Ewart
(@mkuplens)

11 years, 9 months ago

Hi Tim,

With version 3.4.3 we revised how WPtouch authenticates file uploads. Where we had previously been relying on an admin nonce, since that version, the plugin’s file uploads (icons, web app mode startup screens) can only be performed by a logged in user with administrative privileges.

Absent further information from the reporter, we do not believe there is any significant vulnerability identified in yesterday’s report.

However, out of an abundance of caution, we will be including a patch in release 3.4.7 which aggressively limits the types of files that can be uploaded through WPtouch.

Thanks,

Martin Kuplens-Ewart
Product Designer
WPtouch

Viewing 1 replies (of 1 total)

The topic ‘WPtouch 3.4.5 Shell Upload Vulnerability’ is closed to new replies.

1 reply
2 participants
Last reply from: Martin Kuplens-Ewart
Last activity: 11 years, 9 months ago
Status: not resolved