| Title: Arbitrary file download vulnerability in download-zip-attachments v1.0 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2015-06-10 |
| [CVE-2015-4704] |
| Download Site: https://wordpress.org/plugins/download-zip-attachments/ |
| Vendor: |
| Vendor Notified: 2015-06-15 |
| Vendor Contact: https://profiles.wordpress.org/rivenvirus/ |
| Advisory: http://www.vapid.dhs.org/advisory.php?v=129http://www.vapid.dhs.org/advisory.php?v=129 |
| Description: Download all attachments from the post into a zip file. |
| Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.
<?php
if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){
define('WP_USE_THEMES', false);
require('../../../wp-load.php');
require "create_zip_file.php";
$uploads = wp_upload_dir();
$tmp_location = $uploads['path']."/".$_REQUEST['File'];
//echo $tmp_location;
$zip = new CreateZipFile;
$zip->forceDownload($tmp_location,false);
unlink($tmp_location);
exit;
} |
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |