oss-sec mailing list archives
Re: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.
From: cve-assign () mitre org
Date: Sun, 21 Jun 2015 06:42:39 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the requested file. In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path: 8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){ 9 10 $file = $_GET['za_file']; 11 $filename = $_GET['za_filename']; 12 13 header('Content-Type: application/zip'); 14 header('Content-Length: ' . filesize($file)); 15 header('Content-Disposition: attachment; filename="'.$filename.'.zip"'); 16 17 readfile($file); Any file readable by the httpd process can be downloaded. PoC: /wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd
Use CVE-2015-4694.
Vendor: Rick Torres @ricard_dev Fixed in: v1.1.5 by vendor. Download: https://wordpress.org/plugins/zip-attachments/
We don't know whether this is the same as: https://wordpress.org/plugins/zip-attachments/changelog/ 1.5.1 I've tried to fix a vulnerability. Possibly the similar numbers (1.1.5 versus 1.5.1) correspond to two different vulnerabilities. (https://downloads.wordpress.org/plugin/zip-attachments.1.5.1.zip exists, but neither https://downloads.wordpress.org/plugin/zip-attachments.1.1.4.zip nor https://downloads.wordpress.org/plugin/zip-attachments.1.1.5.zip exists.) 1.5.1 uses sanitize_file_name, apparently blocking '/' characters. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVhpS4AAoJEKllVAevmvmsCu0H/Ruf7xLl/3s1WIkYf+5Zq69K QApZ9xtEw8w+081r0pDDDHoAkh5Sqoinf4J3kSvEAhPgnYH2OsI+8UZuAssCbNCh dnFyF9TU59J+WnEmKh/gk9YTg/lxxApM2EG7hcAGVWbTHVVQ6mhy7XytgdC99LVK CcNyhCRQV3V/FCxOQ7H1tm048+AlZL2t+w8PawzjJ8xwUPn3+/Dqc08bs3ZNew9u Q67cqsBgjemj3aDUQxkHTvz1N6TB78+QCDU5zwaUHsCTA3ZSgv2A4m4B6nHCgt3r J7eYzlt1nUrdTvz00UpUDF+MPdLcl+NZWH3KvQE/qlC2iJP7h5ZL4K6H0KJZgG4= =p++T -----END PGP SIGNATURE-----
Current thread:
- zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. Larry W. Cashdollar (Jun 12)
- Re: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. cve-assign (Jun 21)