Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928851 (2018-07-26 18:54:24)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::is_file
Risk _GET
/photo-video-store/templates/upload_files_jquery2.php:1107 (show/hide source)
1087  				{
1088  					$this->header( 'Range: 0-' . ( $this->fix_integer_overflow( intval( $files[0]->
1089  						size ) ) - 1 ) );
1090  				}
1091  			}
1092  			$this->body( $json );
1093  		}
1094  		return $content;
1095  	}
1096  
1097  	protected function get_version_param() {
1098  		return isset( $_GET['version'] ) ? basename( stripslashes( $_GET['version'] ) ) : null;
1099  	}
1100  
1101  	protected function get_singular_param_name() {
1102  		return substr( $this->options['param_name'], 0, -1 );
1103  	}
1104  
1105  	protected function get_file_name_param() {
1106  		$name = $this->get_singular_param_name();
1107 return isset( $_GET[$name] ) ? basename( stripslashes( $_GET[$name] ) ) : null;
1108 } 1109
Threat level 1

Callstack:

UploadHandler::get_file_object /photo-video-store/templates/upload_files_jquery2.php:310 (show/hide source)
290  	}
291  
292  	protected function is_valid_file_object( $file_name ) {
293  		$file_path = $this->get_upload_path( $file_name );
294  		if ( is_file( $file_path ) && $file_name[0] !== '.' ) {
295  			return true;
296  		}
297  		return false;
298  	}
299  
300  	protected function get_file_object( $file_name ) {
301  		if ( $this->is_valid_file_object( $file_name ) ) {
302  			$file = new stdClass();
303  			$file->name = $file_name;
304  			$file->size = $this->get_file_size( $this->get_upload_path( $file_name ) );
305  			$file->url = $this->get_download_url( $file->name );
306  			foreach ( $this->options['image_versions'] as $version => $options )
307  			{
308  				if ( ! empty( $version ) )
309  				{
310 if ( is_file( $this->get_upload_path( $file_name, $version ) ) )
311 { 312 $file->{$version . 'Url'} = $this->get_download_url( $file->name, $version );
UploadHandler::get /photo-video-store/templates/upload_files_jquery2.php:1205 (show/hide source)
1185  	}
1186  
1187  	public function head() {
1188  		$this->header( 'Pragma: no-cache' );
1189  		$this->header( 'Cache-Control: no-store, no-cache, must-revalidate' );
1190  		$this->header( 'Content-Disposition: inline; filename="files.json"' );
1191  		// Prevent Internet Explorer from MIME-sniffing the content-type:
1192  		$this->header( 'X-Content-Type-Options: nosniff' );
1193  		if ( $this->options['access_control_allow_origin'] ) {
1194  			$this->send_access_control_headers();
1195  		}
1196  		$this->send_content_type_header();
1197  	}
1198  
1199  	public function get( $print_response = true ) {
1200  		if ( $print_response && isset( $_GET['download'] ) ) {
1201  			return $this->download();
1202  		}
1203  		$file_name = $this->get_file_name_param();
1204  		if ( $file_name ) {
1205 $response = array( $this->get_singular_param_name() => $this->get_file_object( $file_name ) );
1206 } else { 1207 $response = array( $this->options['param_name'] => $this->get_file_objects() );
UploadHandler::initialize /photo-video-store/templates/upload_files_jquery2.php:177 (show/hide source)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166  			$this->initialize();
167  		}
168  	}
169  
170  	protected function initialize() {
171  		switch ( $this->get_server_var( 'REQUEST_METHOD' ) ) {
172  			case 'OPTIONS':
173  			case 'HEAD':
174  				$this->head();
175  				break;
176  			case 'GET':
177 $this->get();
178 break; 179 case 'PATCH':
UploadHandler::__construct /photo-video-store/templates/upload_files_jquery2.php:166 (show/hide source)
146  				// Make sure that this directory doesn't allow execution of files if you
147  				// don't pose any restrictions on the type of uploaded files, e.g. by
148  				// copying the .htaccess file from the files directory for Apache:
149  				//'upload_dir' => dirname($this->get_server_var('SCRIPT_FILENAME')).'/thumb/',
150  				//'upload_url' => $this->get_full_url().'/thumb/',
151  				// Uncomment the following to force the max
152  				// dimensions and e.g. create square thumbnails:
153  				//'crop' => true,
154  				'max_width' => 80,
155  				'max_height' => 80
156  				)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166 $this->initialize();
167 } 168 }