Title: Arbitrary file download vulnerability in recent-backups v0.7 wordpress plugin |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-13 |
CVE-ID:[CVE-2015-1000006] |
CWE: CWE-22 Path Traversal |
Download Site: https://wordpress.org/plugins/recent-backups |
Vendor: https://profiles.wordpress.org/andycheeseman/ |
Vendor Notified: 2015-07-14 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=144 |
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget. |
Vulnerability: The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used
to download sensitive system files:
2 $file = $_GET['file_link'];
3
4 if (file_exists($file)) {
5 header('Content-Description: File Transfer');
6 header('Content-Type: application/octet-stream');
7 header('Content-Disposition: attachment; filename='.basename($file));
8 header('Content-Transfer-Encoding: binary');
9 header('Expires: 0');
10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
11 header('Pragma: public');
12 header('Content-Length: ' . filesize($file));
13 ob_clean();
14 flush();
15 readfile($file); |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory