[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Please reject CVE-2014-8585
From:       Henri Salo <henri () nerv ! fi>
Date:       2014-11-27 0:12:27
Message-ID: 20141127001227.GB29773 () kludge ! henri ! nerv ! fi
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mitre,

Please REJECT CVE-2014-8585, thanks.

Directory traversal vulnerability in the WordPress Download Manager plugin for
WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in
the fname parameter to (1) views/file_download.php or (2) file_download.php.

File file_download.php is not available in any version of WordPress plugin
"download-manager" checked SVN and latest 2.7.4 version from
https://wordpress.org/plugins/download-manager/

PoC refers to random WordPress installation with plugin named
"document_manager", which is indeed vulnerable. I sent abuse emails to few
affected targets. Plugin "document_manager" is custom and not available in WP
plugin repository.

This was noticed during http://www.wpscan.org/ development.

If I am correct OSVDB item refers to issue listed in vexatioustendencies.com,
which has different attack scenario and payloads. 

References:
- - http://osvdb.org/111215
- - http://secunia.com/advisories/59925/
- - http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html
- - https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlR2bGsACgkQXf6hBi6kbk/6tgCeL3A5Wuw10z9lth01PfcZ73XX
MBUAn2RBTmkJAJuwPS/hvaZxg2ycxcVA
=upSJ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]