| Title: Arbitrary file download vulnerability in Wordpress Plugin image-export v1.1 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2015-07-01 |
| [CVE-2015-5609] |
| Download Site: https://wordpress.org/plugins/image-export |
| Vendor: |
| Vendor Notified: 2015-07-05 |
| Vendor Contact: https://twitter.com/1eftHander |
| Advisory: http://www.vapid.dhs.org/advisory.php?v=135http://www.vapid.dhs.org/advisory.php?v=135 |
| Description: Image Export plugin can help you selectively download images uploaded by an administrator . |
| Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to
unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow.
1 <?php
2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
3 $file = $_GET['file'];
4
5 header( 'Content-Type: application/zip' );
6 header( 'Content-Disposition: attachment; filename="' . $file . '"' );
7 readfile( $file );
8 unlink( $file );
9
10 exit;
11 }
12 ?>
|
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |