eShop Magic Plugin ‘File’ Parameter Arbitrary File Disclosure Vulnerability

Summary

The eShop Magic plugin for WordPress is prone to an arbitrary-file-disclosure vulnerability

Credit:

The original article can be found at: http://wordpress.org/extend/plugins/eshop-magic/changelog/


Details

Vulnerable Systems:
 * eShop Magic 0.1

An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks.

A vulnerability has been discovered in the eShop Magic plugin for WordPress, which can be exploited by malicious people to disclose sensitive information. Input passed to the ‘file’ GET parameter in wp-content/plugins/eshop-magic/download.php is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.

eShop Magic Plugin for WordPress contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the wp-content/plugins/eshop-magic/download.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the ‘file’ parameter. This directory traversal attack would allow the attacker to gain access to arbitrary files.

Disclosure Timeline:
Published : Oct 12 2012
Updated : Oct 12 2012

Categories: News