MiwoFTP - File & Folder Manager 1.0.4, Arbitrary File Disclosure
A hook is added to ‘init’ in the file ‘miwoftp/miwoftp.php’. This hook is triggered whenever a user visits the front end of the site. The function specified in this hook will proceed to allow the user to download a file within the scope of the home directory of the site. Various values from the GET scope are used when specifying the path, however these values are placed into a separate array named $GLOBALS.
Update to version 1.0.5.
Proof of Concept
The following URL, when visited on a vulnerable installation by an Anonymous user will result in disclosure of the ‘wp-config.php’ file. This may lead to disclosure of DB or FTP credentials, which in a worse case scenario could lead to further access.
- 2015-03-09: Discovered
- 2015-03-09: Vendor notified
- 2015-03-09: Vendor responded
- 2015-03-09: Version 1.0.5 released – issue resolved