MiwoFTP – File & Folder Manager <= 1.0.4 – Arbitrary File Disclosure

Description

A hook is added to ‘init’ in the file ‘miwoftp/miwoftp.php’. This hook is triggered whenever a user visits the front end of the site. The function specified in this hook will proceed to allow the user to download a file within the scope of the home directory of the site. Various values from the GET scope are used when specifying the path, however these values are placed into a separate array named $GLOBALS.

Proof of Concept

http://example.com/?action=download&option=com_miwoftp&item=wp-config.php

Affects Plugins

miwoftp

Fixed in 1.0.5

References

URL

https://g0blin.co.uk/g0blin-00038/

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

g0blinResearch

Verified

WPVDB ID

3b4e8918-81b5-4431-9c90-4a4562dd9880

Timeline

Publicly Published

2015-03-16 (about 9 years ago)

Added

2015-03-17 (about 9 years ago)

Last Updated

2020-03-04 (about 4 years ago)

Other

Published

Title

Published

2022-08-15

Title

Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthenticated LFI

Published

2016-03-03

Title

epic Theme - Arbitrary File Download

Published

2021-06-09

Title

Motor theme < 3.1.0 - Unauthenticated Local File Inclusion

Published

2015-07-07

Title

S3Bubble Amazon S3 Video And Audio Streaming With Analytics <= 2.0 - Arbitrary File Download

Published

2014-08-01

Title

WP Online Store 1.3.1 - index.php slug Parameter Traversal Local File Inclusion