Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928892 (2018-07-26 19:03:29)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::fopen
Risk _GET
/photo-video-store/templates/download_process.php:450 (show/hide source)
430  			$dir = opendir( pvs_upload_dir() . pvs_server_url( ( int )
431  				$publication_server ) . "/" . ( int )$publication_id );
432  			while ( $file = readdir( $dir ) ) {
433  				if ( $file == $result_filename . "." . $result_extention )
434  				{
435  					unlink( pvs_upload_dir() . pvs_server_url( ( int )$publication_server ) .
436  						"/" . ( int )$publication_id . "/" . $file );
437  				}
438  			}
439  		}
440  	}
441  } else {
442  	//Collection
443  	
444  	$sql = "select id, title, price, description,types from " . PVS_DB_PREFIX . "collections where active = 1 and id = " . (int)$collection_id;
445  	$ds->open( $sql );
446  	if ( ! $ds->eof ) {	
447  		$collection_files = array();
448  		$collection_filenames = array();
449  		
450 $result_folder = pvs_upload_dir() . "/content/categories/collection-" . $ds->row["id"] . "-" . pvs_result_strict( $_GET["f"] );
451 $result_path = $result_folder . ".zip"; 452 $result_filename = "collection-" . $ds->row["id"] . "-" . pvs_result_strict( $_GET["f"] );
Threat level 1

Callstack:

@FUNCTION::pvs_readfile_chunked /photo-video-store/includes/functions/functions.php:9813 (show/hide source)
9793  	}
9794  
9795  	return $flag_download;
9796  }
9797  
9798  
9799  
9800  
9801  
9802  
9803  /**
9804   * The function reads a file by the portions
9805   *
9806   * @param  string $filename file path.
9807   * @return string file content
9808   */
9809  function pvs_readfile_chunked( $filename )
9810  {
9811  	$chunksize = 1 * ( 1024 * 1024 ); // how many bytes per chunk
9812  	$buffer = '';
9813 $handle = fopen( $filename, 'rb' );
9814 if ( $handle === false ) 9815 {
@INLINE::/photo-video-store/templates/download_process.php /photo-video-store/templates/download_process.php:550 (show/hide source)
530  				}
531  			}
532  			$rs->movenext();
533  		}
534  		
535  		if ( count( $collection_files ) == 0 ) {
536  			echo ( "expired" );
537  			exit();
538  		} else {
539  			
540  			$archive = new PclZip( $result_path );
541  			
542  			if (! file_exists ($result_folder)) {
543  				$archive->create( $collection_files, PCLZIP_OPT_ADD_PATH, $result_filename, PCLZIP_OPT_REMOVE_PATH, pvs_upload_dir() . "" );
544  			} else {
545  				$archive->create( $collection_files, PCLZIP_OPT_ADD_PATH, $result_filename, PCLZIP_OPT_REMOVE_PATH, $result_folder );			
546  			}
547  			
548  			header( "Content-Type:" . $mmtype[strtolower( $result_extention )] );
549  			header( "Content-Disposition: attachment; filename=" . str_replace( " ", "%20", $result_filename ) . "." . $result_extention );
550 pvs_readfile_chunked( $result_path );
551 552 if (file_exists ($result_path)) {