Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928845 (2018-07-26 18:54:24)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::filesize
Risk _GET
/photo-video-store/templates/upload_files_jquery2.php:1107 (show/hide source)
1087  				{
1088  					$this->header( 'Range: 0-' . ( $this->fix_integer_overflow( intval( $files[0]->
1089  						size ) ) - 1 ) );
1090  				}
1091  			}
1092  			$this->body( $json );
1093  		}
1094  		return $content;
1095  	}
1096  
1097  	protected function get_version_param() {
1098  		return isset( $_GET['version'] ) ? basename( stripslashes( $_GET['version'] ) ) : null;
1099  	}
1100  
1101  	protected function get_singular_param_name() {
1102  		return substr( $this->options['param_name'], 0, -1 );
1103  	}
1104  
1105  	protected function get_file_name_param() {
1106  		$name = $this->get_singular_param_name();
1107 return isset( $_GET[$name] ) ? basename( stripslashes( $_GET[$name] ) ) : null;
1108 } 1109
Threat level 1

Callstack:

UploadHandler::get_file_size /photo-video-store/templates/upload_files_jquery2.php:289 (show/hide source)
269  
270  	// Fix for overflowing signed 32 bit integers,
271  	// works for sizes up to 2^32-1 bytes (4 GiB - 1):
272  	protected function fix_integer_overflow( $size ) {
273  		if ( $size < 0 ) {
274  			$size += 2.0 * ( PHP_INT_MAX + 1 );
275  		}
276  		return $size;
277  	}
278  
279  	protected function get_file_size( $file_path, $clear_stat_cache = false ) {
280  		if ( $clear_stat_cache ) {
281  			if ( version_compare( PHP_VERSION, '5.3.0' ) >= 0 )
282  			{
283  				clearstatcache( true, $file_path );
284  			} else
285  			{
286  				clearstatcache();
287  			}
288  		}
289 return $this->fix_integer_overflow( filesize( $file_path ) );
290 } 291
UploadHandler::download /photo-video-store/templates/upload_files_jquery2.php:1165 (show/hide source)
1145  				return $this->header( 'HTTP/1.1 403 Forbidden' );
1146  		}
1147  		$file_name = $this->get_file_name_param();
1148  		if ( ! $this->is_valid_file_object( $file_name ) ) {
1149  			return $this->header( 'HTTP/1.1 404 Not Found' );
1150  		}
1151  		if ( $redirect_header ) {
1152  			return $this->header( $redirect_header . ': ' . $this->get_download_url( $file_name,
1153  				$this->get_version_param(), true ) );
1154  		}
1155  		$file_path = $this->get_upload_path( $file_name, $this->get_version_param() );
1156  		// Prevent browsers from MIME-sniffing the content-type:
1157  		$this->header( 'X-Content-Type-Options: nosniff' );
1158  		if ( ! preg_match( $this->options['inline_file_types'], $file_name ) ) {
1159  			$this->header( 'Content-Type: application/octet-stream' );
1160  			$this->header( 'Content-Disposition: attachment; filename="' . $file_name . '"' );
1161  		} else {
1162  			$this->header( 'Content-Type: ' . $this->get_file_type( $file_path ) );
1163  			$this->header( 'Content-Disposition: inline; filename="' . $file_name . '"' );
1164  		}
1165 $this->header( 'Content-Length: ' . $this->get_file_size( $file_path ) );
1166 $this->header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s T', filemtime( $file_path ) ) ); 1167 $this->readfile( $file_path );
UploadHandler::get /photo-video-store/templates/upload_files_jquery2.php:1201 (show/hide source)
1181  		$this->header( 'Access-Control-Allow-Credentials: ' . ( $this->options['access_control_allow_credentials'] ?
1182  			'true' : 'false' ) );
1183  		$this->header( 'Access-Control-Allow-Methods: ' . implode( ', ', $this->options['access_control_allow_methods'] ) );
1184  		$this->header( 'Access-Control-Allow-Headers: ' . implode( ', ', $this->options['access_control_allow_headers'] ) );
1185  	}
1186  
1187  	public function head() {
1188  		$this->header( 'Pragma: no-cache' );
1189  		$this->header( 'Cache-Control: no-store, no-cache, must-revalidate' );
1190  		$this->header( 'Content-Disposition: inline; filename="files.json"' );
1191  		// Prevent Internet Explorer from MIME-sniffing the content-type:
1192  		$this->header( 'X-Content-Type-Options: nosniff' );
1193  		if ( $this->options['access_control_allow_origin'] ) {
1194  			$this->send_access_control_headers();
1195  		}
1196  		$this->send_content_type_header();
1197  	}
1198  
1199  	public function get( $print_response = true ) {
1200  		if ( $print_response && isset( $_GET['download'] ) ) {
1201 return $this->download();
1202 } 1203 $file_name = $this->get_file_name_param();
UploadHandler::initialize /photo-video-store/templates/upload_files_jquery2.php:177 (show/hide source)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166  			$this->initialize();
167  		}
168  	}
169  
170  	protected function initialize() {
171  		switch ( $this->get_server_var( 'REQUEST_METHOD' ) ) {
172  			case 'OPTIONS':
173  			case 'HEAD':
174  				$this->head();
175  				break;
176  			case 'GET':
177 $this->get();
178 break; 179 case 'PATCH':
UploadHandler::__construct /photo-video-store/templates/upload_files_jquery2.php:166 (show/hide source)
146  				// Make sure that this directory doesn't allow execution of files if you
147  				// don't pose any restrictions on the type of uploaded files, e.g. by
148  				// copying the .htaccess file from the files directory for Apache:
149  				//'upload_dir' => dirname($this->get_server_var('SCRIPT_FILENAME')).'/thumb/',
150  				//'upload_url' => $this->get_full_url().'/thumb/',
151  				// Uncomment the following to force the max
152  				// dimensions and e.g. create square thumbnails:
153  				//'crop' => true,
154  				'max_width' => 80,
155  				'max_height' => 80
156  				)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166 $this->initialize();
167 } 168 }