Title: Arbitrary file download in simple-image-manipulator v1.0 wordpress plugin |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-07-16 |
[CVE-2015-1000010] |
Download Site: https://wordpress.org/plugins/simple-image-manipulator |
Vendor: |
Vendor Notified: 2015-07-16 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=144http://www.vapidlabs.com/advisory.php?v=144 |
Description: Manipulate your wordpress images using slider and tickboxes. |
Vulnerability: In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location:
2 function output_file($file, $name, $mime_type='')
3 {
.
.
.
14 /* Figure out the MIME type | Check in array */
15 $known_mime_types=array(
16 "pdf" => "application/pdf",
17 "txt" => "text/plain",
18 "html" => "text/html",
19 "htm" => "text/html",
20 "exe" => "application/octet-stream",
21 "zip" => "application/zip",
22 "doc" => "application/msword",
23 "xls" => "application/vnd.ms-excel",
24 "ppt" => "application/vnd.ms-powerpoint",
25 "gif" => "image/gif",
26 "png" => "image/png",
27 "jpeg"=> "image/jpg",
28 "jpg" => "image/jpg",
29 "php" => "text/plain"
30 );
31
32 if($mime_type==''){
33 $file_extension = strtolower(substr(strrchr($file,"."),1));
34 if(array_key_exists($file_extension, $known_mime_types)){
35 $mime_type=$known_mime_types[$file_extension];
36 } else {
37 $mime_type="application/force-download";
38 };
39 };
.
.
.
84 if ($file = fopen($file, 'r'))
85 {
86 if(isset($_SERVER['HTTP_RANGE']))
87 fseek($file, $range);
88
89 while(!feof($file) &&
90 (!connection_aborted()) &&
91 ($bytes_send<$new_length)
92 )
93 {
94 $buffer = fread($file, $chunksize);
95 print($buffer); //echo($buffer); // can also possible
96 flush();
97 $bytes_send += strlen($buffer);
98 }
99 fclose($file);
100 } else
101 //If no permissiion
102 die('Error - can not open file.');
103 //die
104 die();
105 }
106 //Set the time out
107 set_time_limit(0);
108
109
110 //Call the download function with file path,file name and file type
111 output_file($_REQUEST['filepath'], ''.$_REQUEST['filename'].'', 'text/plain'); |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |