oss-sec mailing list archives

Re: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.

From: cve-assign () mitre org
Date: Sun, 21 Jun 2015 06:42:39 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability: zip-attachments allows arbitrary file downloads because
it doesn't check the download path of the requested file.

In zip-attachments/download.php, there is no check to see if the file
is outside of the intended download path:

  8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){
  9 
 10     $file = $_GET['za_file'];
 11     $filename = $_GET['za_filename'];
 12 
 13     header('Content-Type: application/zip');
 14     header('Content-Length: ' . filesize($file));
 15     header('Content-Disposition: attachment; filename="'.$filename.'.zip"');
 16 
 17     readfile($file);

Any file readable by the httpd process can be downloaded.

PoC:
/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd


Use CVE-2015-4694.

Vendor: Rick Torres @ricard_dev
Fixed in: v1.1.5 by vendor.
Download: https://wordpress.org/plugins/zip-attachments/


We don't know whether this is the same as:

  https://wordpress.org/plugins/zip-attachments/changelog/
  1.5.1
  I've tried to fix a vulnerability.

Possibly the similar numbers (1.1.5 versus 1.5.1) correspond to two
different vulnerabilities.
(https://downloads.wordpress.org/plugin/zip-attachments.1.5.1.zip
exists, but neither
https://downloads.wordpress.org/plugin/zip-attachments.1.1.4.zip nor
https://downloads.wordpress.org/plugin/zip-attachments.1.1.5.zip
exists.)

1.5.1 uses sanitize_file_name, apparently blocking '/' characters.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVhpS4AAoJEKllVAevmvmsCu0H/Ruf7xLl/3s1WIkYf+5Zq69K
QApZ9xtEw8w+081r0pDDDHoAkh5Sqoinf4J3kSvEAhPgnYH2OsI+8UZuAssCbNCh
dnFyF9TU59J+WnEmKh/gk9YTg/lxxApM2EG7hcAGVWbTHVVQ6mhy7XytgdC99LVK
CcNyhCRQV3V/FCxOQ7H1tm048+AlZL2t+w8PawzjJ8xwUPn3+/Dqc08bs3ZNew9u
Q67cqsBgjemj3aDUQxkHTvz1N6TB78+QCDU5zwaUHsCTA3ZSgv2A4m4B6nHCgt3r
J7eYzlt1nUrdTvz00UpUDF+MPdLcl+NZWH3KvQE/qlC2iJP7h5ZL4K6H0KJZgG4=
=p++T
-----END PGP SIGNATURE-----

Current thread:

zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. Larry W. Cashdollar (Jun 12)
- Re: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability. cve-assign (Jun 21)