Title: Arbitrary file download vulnerability in ibs-Mappro v0.6 Wordpress plugin |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-08 |
CVE-ID:[CVE-2015-5472] |
CWE: CWE-22 Path Traversal |
Download Site: https://wordpress.org/plugins/ibs-mappro/ |
Vendor: Hmoore71 |
Vendor Notified: 2015-07-08 |
Vendor Contact: Contacted via webform |
Advisory: |
Description: IBS Mappro is a comprehensive map creator, editor, and view generator based on the Google Maps API v3 and supports kml, kmz, and gpx map files. |
Vulnerability: the download.php script allows any remote user to download files off of the server:
if (isset($_GET)) {
$filename = $_GET['file'];
$info = pathinfo($filename);
$name = $info['basename'];
if (file_exists($filename)) {
header('Set-Cookie: fileDownload=true; path=/');
header('Cache-Control: max-age=60, must-revalidate');
header('Content-Disposition: attachment; filename="' . $title . '-' . $timestamp . '.csv"');
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $name . '"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($filename));
ob_clean();
flush();
readfile($filename);
exit;
} else {
die;
}
} else {
die;
}
?> |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory