oss-sec mailing list archives
zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Fri, 12 Jun 2015 14:35:16 -0400
May I please have a CVE for this issue: Title: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. Author: Larry W. Cashdollar Date: 6/10/2015 Vendor: Rick Torres @ricard_dev Vendor Notified: 6/11/2015 Fixed in: v1.1.5 by vendor. Download: https://wordpress.org/plugins/zip-attachments/ CVEID: TBD Description: Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types. Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the requested file. In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path: 8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){ 9 10 $file = $_GET['za_file']; 11 $filename = $_GET['za_filename']; 12 13 header('Content-Type: application/zip'); 14 header('Content-Length: ' . filesize($file)); 15 header('Content-Disposition: attachment; filename="'.$filename.'.zip"'); 16 17 readfile($file); 18 unlink($file); Any file readable by the httpd process can be downloaded. PoC: http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd
Current thread:
- zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. Larry W. Cashdollar (Jun 12)