Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0

Type securityvulns
Reporter Securityvulns
Modified 2015-06-14T00:00:00


Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-06 Advisory: Download Site: Vendor: Vendor Notified: 2015-06-06 Vendor Contact: Description: An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.

Vulnerability: The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.

This vulnerability doesn’t require authentication to the Wordpress site.

File ./se-html5-album-audio-player/download_audio.php:

3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file']; 4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/'); 5 // make sure it's a file before doing anything! 6 if( is_file($file_name) && $is_in_uploads_dir !== false ) { 7 8 // required for IE 9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } 10
11 // get the file mime type using the file extension 12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) { 13 case 'pdf': $mime = 'application/pdf'; break; 14 case 'zip': $mime = 'application/zip'; break; 15 case 'jpeg': 16 case 'jpg': $mime = 'image/jpg'; break; 17 default: $mime = 'application/force-download'; 18 } 19 header('Pragma: public'); // required 20 header('Expires: 0'); // no cache 21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); 23 header('Cache-Control: private',false); 24 header('Content-Type: '.$mime); 25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); 26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size 28 header('Connection: close'); 29 readfile($file_name); // push it out 30 exit();

The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.

CVEID: 2015-4414 OSVDB: Exploit Code: • $ curl