漏洞类别:CGI
漏洞等级: 
漏洞信息
WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system. DukaPress is an open source e-commerce solution built for WordPress.
The vulnerability exists in the dukapress/lib/dp_image.php source file implemented in the affected plugin versions. This affected source file fails to perform sufficient sanitization on user supplied input received via the src parameter, which allows remote, unauthenticated attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Affected Versions:
Dukapress plugin for WordPress version 2.5.2 and prior
漏洞危害
Successful exploitation could allow remote, unauthenticated attackers to read arbitrary files on a targeted system allowing the attacker access to sensitive information, leading to a loss of confidentiality.
解决方案
Customers are advised to update to Dukapress 2.5.4 or later WordPress plugin versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论