WordPress eShop Magic Plugin "file" Arbitrary File

by Carol~ Moderator - 10/12/12 9:41 AM

In Reply to: VULNERABILITIES / FIXES - October 12, 2012 by Carol~ Moderator

WordPress eShop Magic Plugin "file" Arbitrary File Disclosure Vulnerability

Release Date : 2012-10-12

Criticality level : Moderately critical
Impact: Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: WordPress eShop Magic Plugin 0.x

Description:
A vulnerability has been discovered in the eShop Magic plugin for WordPress, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "file" GET parameter in wp-content/plugins/eshop-magic/download.php is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.

The vulnerability is confirmed in version 0.1.

Solution:
Update to version 0.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://wordpress.org/extend/plugins/eshop-magic/changelog/

http://secunia.com/advisories/50933/