g0blin Research

Follow @g0blinResearch

Sell Downloads 1.0.1, Arbitrary File Disclosure

Due to the lack of sanitation of of user input, it is possible to download arbitrary files from site, under the context of the web server. This could lead to disclosure of server configuration, or other sensitive information.

Homepage

https://wordpress.org/plugins/sell-downloads/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 1.0.2.

Proof of Concept

Once the plugin is activated, an arbitrary file can be downloading using a simple GET request. Below are a couple of examples The vulnerable parameter is ‘file’, and will accept either an absolute file path, or a file path relative to the root of the WordPress site. 

http://localhost/?sd_action=demo&file=/etc/passwd
http://localhost/?sd_action=demo&file=wp-config.php

Timeline

  • 2014-12-19: Discovered
  • 2014-12-19: Vendor notified
  • 2014-12-19: Vendor replied
  • 2014-12-19: 1.0.2. released – issue resolved
  • 2014-12-29: Advisory released
  • 2015-01-05: CVE Requested
  • 2015-01-05: CVE Assigned