parameter based downloading | ww.wp.xz.cn

charliecampbell
(@charliecampbell)

11 years, 11 months ago

Hello I am a security consultant and I ran across a site using this plugin similar to how its being used in the following example.

http://siteA.com/wp-content/plugins/google-document-embedder/load.php?dhttp%3A%2F%2FsiteB.com%2Fuploads%2Fdocument.pdf

is this the intended purpose and correct usage of the plugin? I’m asking because I was able to use this link to create links that could be used to fool users into downloading malicious content from offsite resources.

http://siteA.com/wp-content/plugins/google-document-embedder/load.php?dhttp%3A%2F%2FsiteC.com%2Fmalicious_document.pdf

Is there any security function or setting that some devs are overlooking to limit the documents to a specific domain or resource?

https://ww.wp.xz.cn/plugins/google-document-embedder/

Viewing 1 replies (of 1 total)

k3davis
(@k3davis)

11 years, 11 months ago

Charlie,

As a security consultant, let me humbly suggest you report potential security issues privately to the developer rather than on a public forum…

That said, it’s intentional that the plugin is able to load documents from other sites. However there are security measures in the file, such as requiring a user agent string specific to WordPress (not that this cannot be spoofed), and only allowing the linking of supported file types, none of which are executable.

I’d like to see (privately) what you’re seeing with respect to this being abused, so I can see if there is a way to increase the security without undermining the usefulness of the plugin.

Viewing 1 replies (of 1 total)

The topic ‘parameter based downloading’ is closed to new replies.

1 reply
2 participants
Last reply from: k3davis
Last activity: 11 years, 11 months ago
Status: not resolved