g0blin Research: MiwoFTP - File & Folder Manager 1.0.4, Arbitrary File Disclosure

MiwoFTP - File & Folder Manager 1.0.4, Arbitrary File Disclosure

A hook is added to ‘init’ in the file ‘miwoftp/miwoftp.php’. This hook is triggered whenever a user visits the front end of the site. The function specified in this hook will proceed to allow the user to download a file within the scope of the home directory of the site. Various values from the GET scope are used when specifying the path, however these values are placed into a separate array named $GLOBALS.

Homepage

https://wordpress.org/plugins/miwoftp/

CVSS Score

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 1.0.5.

Proof of Concept

The following URL, when visited on a vulnerable installation by an Anonymous user will result in disclosure of the ‘wp-config.php’ file. This may lead to disclosure of DB or FTP credentials, which in a worse case scenario could lead to further access.

http://localhost/?action=download&option=com_miwoftp&item=wp-config.php

Timeline

2015-03-09: Discovered
2015-03-09: Vendor notified
2015-03-09: Vendor responded
2015-03-09: Version 1.0.5 released – issue resolved