Project: Wordpress Plugin Advanced Access Manager 5.9.8

Vulnerability: #9252747 (2019-07-22 10:09:09)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_get_contents
Risk _SERVER
/advanced-access-manager/application/Core/Request.php:73 (show/hide source)
53       *
54       * @access public
55       * @static
56       */
57      public static function request($param = null, $default = null) {
58          return self::readArray($_REQUEST, $param, $default);
59      }
60      
61      /**
62       * Get parameter from global _SERVER array
63       *
64       * @param string $param   SERVER Parameter
65       * @param mixed  $default Default value
66       *
67       * @return mixed
68       *
69       * @access public
70       * @static
71       */
72      public static function server($param = null, $default = null) {
73 return self::readArray($_SERVER, $param, $default);
74 } 75
Threat level 0

Callstack:

AAM_Core_Media::printMedia /advanced-access-manager/application/Core/Media.php:144 (show/hide source)
124          }
125          
126          if (empty($path) || !file_exists($path)) {
127              $path = ABSPATH . $this->request_uri;
128          }
129          
130          //normalize path and strip all unexpected trails. Thanks to Antonius Hegyes
131          $path  = preg_replace('/\?.*$/', '', $path);
132          $rpath = preg_replace('/\?.*$/', '', $this->request_uri);
133          
134          //finally replace the filename with requested filename
135          $request = str_replace(basename($path), basename($rpath), $path);
136          
137          if (empty($mime)) {
138              if (function_exists('mime_content_type')) {
139                  $mime = mime_content_type($request);
140              }
141          }
142          
143          @header('Content-Type: ' . (empty($mime) ? $type : $mime));
144 echo file_get_contents($request);
145 exit; 146 }
AAM_Core_Media::checkMediaAccess /advanced-access-manager/application/Core/Media.php:106 (show/hide source)
86                  if (!$media->allowed('frontend.read')) {
87                      $args = array(
88                          'hook'   => 'media_read', 
89                          'action' => "{$area}.read", 
90                          'post'   => $media->getPost()
91                      );
92                          
93                      $default = AAM_Core_Config::get('media.default.placeholder');
94                      
95                      if ($default) {
96                          do_action('aam-access-rejected-action', $area, $args);
97                          $this->printMedia(get_post($default));
98                      } else {
99                          AAM_Core_API::reject($area, $args);
100                      }
101                  } else {
102                      $this->printMedia($media);
103                  }
104              }
105          } else {
106 $this->printMedia($media);
107 } 108 }