lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Jul 2015 19:20:50 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: [FD] Remote file download vulnerability in Wordpress Plugin
 image-export v1.1

Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site:
Vendor Notified: 2015-07-05
Vendor Contact:
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
      1 <?php
      2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
      3         $file = $_GET['file'];
      5         header( 'Content-Type: application/zip' );
      6         header( 'Content-Disposition: attachment; filename="' . $file . '"' );
      7         readfile( $file );
      8         unlink( $file );
     10         exit;
     11 }
     12 ?>
Exploit Code:
	• $ curl
Screen Shots:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists