lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 06 Jul 2015 21:15:42 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: [FD] Remote file download in Wordpress Plugin
	mdc-youtube-downloader v2.1.0

Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site:
Vendor Notified: 2015-07-01, removed vulnerable code.
Vendor Contact:
Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.
The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be

$file_name = $_GET['file'];

// make sure it's a file before doing anything!
if(is_file($file_name)) {
 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
                case 'pdf': $mime = 'application/pdf'; break;
                case 'zip': $mime = 'application/zip'; break;
                case 'jpeg':
                case 'jpg': $mime = 'image/jpg'; break;
                default: $mime = 'application/force-download';
        header('Pragma: public');       // required
        header('Expires: 0');           // no cache
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
        header('Cache-Control: private',false);
        header('Content-Type: '.$mime);
        header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
        header('Content-Transfer-Encoding: binary');
        header('Content-Length: '.filesize($file_name));        // provide file size
        header('Connection: close');
        readfile($file_name);           // push it out

CVEID: Requested, TBD.
Exploit Code:
	• $ curl

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists