MainWP Dashboard [Unauthenticated Local File Download]
Description
Plugin MainWP Dashboard allows to anyone to download files under
wp-content/uploads/mainwp
without authentication.
Files stored under that location contain sensitive information like cookies or DB and files backup.
Upon WordPress initialization plugin calls method
MainWP_System::parse_init()
, this method checks if various $_GET
params are set and if they are it performs a series of predefined
actions. Because this method is called whenever WordPress is initialized
this actions are available to unauthenticated users also.
To download a file the attacker must know the relative to
wp-content/uploads/mainwp
directory path and the exact size of the
file he is interested in. This is mandatory because plugin checks the
$_GET['sig']
var to see if it matches the actual md5 of the filesize.
Downloading a file outside wp-content/uploads/mainwp
doesn’t seem
possible because plugin checks the path for double dots.
PoC
If the plugin is installed it should have created the file
wp-content/uploads/mainwp/index.php
which is 0 bytes. We can download
it with the following request.
curl 'http://sbwp1.dev/?mwpdl=index.php&sig=cfcd208495d565ef66e7dff9f98764da'
- 23 May 2016
- Pan Vag
- mainwp.com
- MainWP Dashboard
- 3.1.4
- WordPress 4.5
- DWF-2016-87047