Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928884 (2018-07-26 19:03:28)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::copy
Risk _GET
/photo-video-store/templates/download_process.php:450 (show/hide source)
430  			$dir = opendir( pvs_upload_dir() . pvs_server_url( ( int )
431  				$publication_server ) . "/" . ( int )$publication_id );
432  			while ( $file = readdir( $dir ) ) {
433  				if ( $file == $result_filename . "." . $result_extention )
434  				{
435  					unlink( pvs_upload_dir() . pvs_server_url( ( int )$publication_server ) .
436  						"/" . ( int )$publication_id . "/" . $file );
437  				}
438  			}
439  		}
440  	}
441  } else {
442  	//Collection
443  	
444  	$sql = "select id, title, price, description,types from " . PVS_DB_PREFIX . "collections where active = 1 and id = " . (int)$collection_id;
445  	$ds->open( $sql );
446  	if ( ! $ds->eof ) {	
447  		$collection_files = array();
448  		$collection_filenames = array();
449  		
450 $result_folder = pvs_upload_dir() . "/content/categories/collection-" . $ds->row["id"] . "-" . pvs_result_strict( $_GET["f"] );
451 $result_path = $result_folder . ".zip"; 452 $result_filename = "collection-" . $ds->row["id"] . "-" . pvs_result_strict( $_GET["f"] );
Threat level 1

Callstack:

@INLINE::/photo-video-store/templates/download_process.php /photo-video-store/templates/download_process.php:493 (show/hide source)
473  		while (!$rs->eof) {
474  			if ($rs->row['media_id'] == 1) {
475  				$ext_array = array ('jpg', 'png', 'gif', 'raw' , 'tiff',  'eps', 'jp2', 'jpf', 'zip');
476  				for ( $i = 0; $i < count($ext_array); $i++ ) {
477  					if ($rs->row["url_" . $ext_array[$i]] != '' and file_exists(pvs_upload_dir() . pvs_server_url( $rs->row["server1"] ) . "/" . $rs->row["id"] . "/" . $rs->row["url_" . $ext_array[$i]])) {
478  						$collection_files[$rs->row["id"] . '_'  . $ext_array[$i]] = pvs_upload_dir() . pvs_server_url( $rs->row["server1"] ) . "/" . $rs->row["id"] . "/" . $rs->row["url_" . $ext_array[$i]];
479  						$collection_filenames[$rs->row["id"] . '_'  . $ext_array[$i]] = $rs->row["url_" . $ext_array[$i]];
480  					} else {
481  						if ( pvs_is_remote_storage() ) {
482  							$sql = "select url,filename1,filename2,width,height,item_id,filesize from " . PVS_DB_PREFIX . "filestorage_files where id_parent=" . $rs->row["id"] . " and item_id<>0";
483  							$dn->open( $sql );
484  							while ( ! $dn->eof ) {
485  								if (! file_exists ($result_folder)) {
486  									mkdir( $result_folder);
487  								}
488  								
489  								if (! file_exists ($result_folder . "/" . $rs->row["id"])) {
490  									mkdir( $result_folder . "/" . $rs->row["id"]);
491  								}
492  								
493 @copy($dn->row["url"] . "/" . $dn->row["filename2"], $result_folder . "/" . $rs->row["id"] . "/" . $dn->row["filename1"]);
494 495 $collection_files[$rs->row["id"] . '_' . $ext_array[$i]] = $result_folder . "/" . $rs->row["id"] . "/" . $dn->row["filename1"];