Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928862 (2018-07-26 18:54:26)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::is_file
Risk _GET
/photo-video-store/templates/upload_files_jquery2.php:1107 (show/hide source)
1087  				{
1088  					$this->header( 'Range: 0-' . ( $this->fix_integer_overflow( intval( $files[0]->
1089  						size ) ) - 1 ) );
1090  				}
1091  			}
1092  			$this->body( $json );
1093  		}
1094  		return $content;
1095  	}
1096  
1097  	protected function get_version_param() {
1098  		return isset( $_GET['version'] ) ? basename( stripslashes( $_GET['version'] ) ) : null;
1099  	}
1100  
1101  	protected function get_singular_param_name() {
1102  		return substr( $this->options['param_name'], 0, -1 );
1103  	}
1104  
1105  	protected function get_file_name_param() {
1106  		$name = $this->get_singular_param_name();
1107 return isset( $_GET[$name] ) ? basename( stripslashes( $_GET[$name] ) ) : null;
1108 } 1109
Threat level 1

Callstack:

UploadHandler::is_valid_file_object /photo-video-store/templates/upload_files_jquery2.php:294 (show/hide source)
274  			$size += 2.0 * ( PHP_INT_MAX + 1 );
275  		}
276  		return $size;
277  	}
278  
279  	protected function get_file_size( $file_path, $clear_stat_cache = false ) {
280  		if ( $clear_stat_cache ) {
281  			if ( version_compare( PHP_VERSION, '5.3.0' ) >= 0 )
282  			{
283  				clearstatcache( true, $file_path );
284  			} else
285  			{
286  				clearstatcache();
287  			}
288  		}
289  		return $this->fix_integer_overflow( filesize( $file_path ) );
290  	}
291  
292  	protected function is_valid_file_object( $file_name ) {
293  		$file_path = $this->get_upload_path( $file_name );
294 if ( is_file( $file_path ) && $file_name[0] !== '.' ) {
295 return true; 296 }
UploadHandler::download /photo-video-store/templates/upload_files_jquery2.php:1148 (show/hide source)
1128  			default:
1129  				return '';
1130  		}
1131  	}
1132  
1133  	protected function download() {
1134  		switch ( $this->options['download_via_php'] ) {
1135  			case 1:
1136  				$redirect_header = null;
1137  				break;
1138  			case 2:
1139  				$redirect_header = 'X-Sendfile';
1140  				break;
1141  			case 3:
1142  				$redirect_header = 'X-Accel-Redirect';
1143  				break;
1144  			default:
1145  				return $this->header( 'HTTP/1.1 403 Forbidden' );
1146  		}
1147  		$file_name = $this->get_file_name_param();
1148 if ( ! $this->is_valid_file_object( $file_name ) ) {
1149 return $this->header( 'HTTP/1.1 404 Not Found' ); 1150 }
UploadHandler::get /photo-video-store/templates/upload_files_jquery2.php:1201 (show/hide source)
1181  		$this->header( 'Access-Control-Allow-Credentials: ' . ( $this->options['access_control_allow_credentials'] ?
1182  			'true' : 'false' ) );
1183  		$this->header( 'Access-Control-Allow-Methods: ' . implode( ', ', $this->options['access_control_allow_methods'] ) );
1184  		$this->header( 'Access-Control-Allow-Headers: ' . implode( ', ', $this->options['access_control_allow_headers'] ) );
1185  	}
1186  
1187  	public function head() {
1188  		$this->header( 'Pragma: no-cache' );
1189  		$this->header( 'Cache-Control: no-store, no-cache, must-revalidate' );
1190  		$this->header( 'Content-Disposition: inline; filename="files.json"' );
1191  		// Prevent Internet Explorer from MIME-sniffing the content-type:
1192  		$this->header( 'X-Content-Type-Options: nosniff' );
1193  		if ( $this->options['access_control_allow_origin'] ) {
1194  			$this->send_access_control_headers();
1195  		}
1196  		$this->send_content_type_header();
1197  	}
1198  
1199  	public function get( $print_response = true ) {
1200  		if ( $print_response && isset( $_GET['download'] ) ) {
1201 return $this->download();
1202 } 1203 $file_name = $this->get_file_name_param();
UploadHandler::initialize /photo-video-store/templates/upload_files_jquery2.php:177 (show/hide source)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166  			$this->initialize();
167  		}
168  	}
169  
170  	protected function initialize() {
171  		switch ( $this->get_server_var( 'REQUEST_METHOD' ) ) {
172  			case 'OPTIONS':
173  			case 'HEAD':
174  				$this->head();
175  				break;
176  			case 'GET':
177 $this->get();
178 break; 179 case 'PATCH':
UploadHandler::__construct /photo-video-store/templates/upload_files_jquery2.php:166 (show/hide source)
146  				// Make sure that this directory doesn't allow execution of files if you
147  				// don't pose any restrictions on the type of uploaded files, e.g. by
148  				// copying the .htaccess file from the files directory for Apache:
149  				//'upload_dir' => dirname($this->get_server_var('SCRIPT_FILENAME')).'/thumb/',
150  				//'upload_url' => $this->get_full_url().'/thumb/',
151  				// Uncomment the following to force the max
152  				// dimensions and e.g. create square thumbnails:
153  				//'crop' => true,
154  				'max_width' => 80,
155  				'max_height' => 80
156  				)
157  				*/
158  				) );
159  		if ( $options ) {
160  			$this->options = $options + $this->options;
161  		}
162  		if ( $error_messages ) {
163  			$this->error_messages = $error_messages + $this->error_messages;
164  		}
165  		if ( $initialize ) {
166 $this->initialize();
167 } 168 }
@INLINE::/photo-video-store/templates/upload_files_jquery.php /photo-video-store/templates/upload_files_jquery.php:93 (show/hide source)
73  		for ( $i = 0; $i < count( $tp ); $i++ ) {
74  			if ( $tp[$i] != "" )
75  			{
76  				$ftypes[$tp[$i]] = 1;
77  			}
78  		}
79  		$rs->movenext();
80  	}
81  }
82  
83  foreach ( $ftypes as $key => $value ) {
84  	if ( $filetypes != "" ) {
85  		$filetypes .= "|";
86  	}
87  	$filetypes .= $key;
88  }
89  
90  //echo($filetypes);
91  
92  require ( 'upload_files_jquery2.php' );
93 $upload_handler = new UploadHandler();
94 ?>