WordPress Diarise 1.5.9 - Arbitrary File Retrieval

What is the "WordPress Diarise 1.5.9 - Arbitrary File Retrieval?" module?

The "WordPress Diarise 1.5.9 - Arbitrary File Retrieval" module is a test case designed to detect a local file retrieval vulnerability in the WordPress Diarise theme version 1.5.9. This vulnerability allows an attacker to retrieve arbitrary files from the server. The severity of this vulnerability is classified as high.

This module was authored by 0x_Akoko.

Impact

If successfully exploited, this vulnerability can expose sensitive information stored on the server, such as system files or configuration files. This information can be leveraged by attackers to gain unauthorized access or further exploit the system.

How does the module work?

The module sends an HTTP GET request to the "/wp-content/themes/diarise/download.php?calendar=file:///etc/passwd" path. It then applies two matching conditions to determine if the vulnerability is present:

- The first matching condition uses a regular expression to search for the string "root:[x*]:0:0" in the response. If this string is found, it indicates that the server's password file ("/etc/passwd") has been successfully retrieved. - The second matching condition checks if the HTTP response status code is 200, indicating a successful request.

If both matching conditions are met, the module reports the vulnerability.

For more information, you can refer to the following sources: