Login

Tag Archives: Arbitrary Directory Download

14 Jul 2016

Arbitrary Directory Download Vulnerability in Download Theme

Recently we found that the plugin Download Plugin plugin contained an arbitrary directory download vulnerability. The Download Theme plugin is from the same developer and has very similar code, which leads to it having the same vulnerability. Other than the AJAX function and function it connects to being named differently, the only difference is that you don’t need to include a input for the value “f” as well as the directory when making the request to exploit this vulnerability.

Proof of Concept

The following proof of concept will ZIP up the website’s files and prompt you to download them. [Read more]

14 Jul 2016

Arbitrary Directory Download Vulnerability in Download Plugin

In looking at security vulnerabilities we have found that any WordPress plugin could have a serious vulnerability, like the authenticated option deletion vulnerability we found in two related plugins for adding social media buttons that would have allowed any logged in user to disable a website, but certain plugins present more obvious risks. Despite the obvious risks, that doesn’t mean that anyone is actually doing any checking on them. A recent pair of vulnerabilities we found is an example of that.

One type of vulnerability that we see hacker frequently trying to exploit through WordPress plugins is what we refer to as an arbitrary file viewing vulnerability, which is a vulnerability that allows the viewing of the contents of a file. That can manifest itself as the content of the files being displayed as a web page or being served up as download. Hackers try to exploit this type of vulnerability to view the contents of WordPress’s configuration file, wp-config.php, which contains the database credentials for the website. [Read more]