oss-sec mailing list archives

Re: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5

From: cve-assign () mitre org
Date: Fri, 10 Jul 2015 16:28:17 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com

readfile(HAET_INVOICE_PATH.$_GET['filename']);

/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd

https://wordpress.org/plugins/wp-ecommerce-shop-styling/changelog/
2.6: fixed security bug

https://plugins.trac.wordpress.org/changeset/1193456


Code added in 2.6:

   if( strpos($_GET['filename'], '/') !== FALSE )
       die();
   if( strrpos( strtolower($_GET['filename']), '.pdf') !== strlen($_GET['filename'])-4 )
       die();

Use CVE-2015-5468.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVoCmfAAoJEKllVAevmvmsBY0H/2Mn/yxrMrQxOZe58AssL+SJ
TCeDkR+HtXqXMTi2xrWVUkyJI9db6bMu8RbbHOUz6YOM/CjmLVNrpIpgGro6xvIP
+KW7rynEPnEgg4q+uRfo9C762FiVcWJqlbs4NtfCRCumOi3ZgG2ZIOMeu5ihmjyr
iYkiaS4Rc2Yy6KtUb28iipzLtqDz6FduRbuMvlqb2c53cypQBLPCSrHpE9O5l7Nr
f1jPvxWIiPZzOLu6RrAz6nabuoYFsWLmPfcV+6UKfCFMiSEbAs0b9rUT1pea7Z5P
1xXe70Rh8OYomFG1EuamnD6jJcgQzgTaoSKYXCRh9dteDGnWSsChd624Vo/GuLw=
=g0mR
-----END PGP SIGNATURE-----

Current thread:

Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5 Larry W. Cashdollar (Jul 06)
- Re: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5 cve-assign (Jul 10)