MainWP Dashboard [Unauthenticated Local File Download]
Plugin MainWP Dashboard allows to anyone to download files under
wp-content/uploads/mainwp without authentication.
Files stored under that location contain sensitive information like cookies or DB and files backup.
Upon WordPress initialization plugin calls method
MainWP_System::parse_init(), this method checks if various
params are set and if they are it performs a series of predefined
actions. Because this method is called whenever WordPress is initialized
this actions are available to unauthenticated users also.
To download a file the attacker must know the relative to
wp-content/uploads/mainwp directory path and the exact size of the
file he is interested in. This is mandatory because plugin checks the
$_GET['sig'] var to see if it matches the actual md5 of the filesize.
Downloading a file outside
wp-content/uploads/mainwp doesn’t seem
possible because plugin checks the path for double dots.
If the plugin is installed it should have created the file
wp-content/uploads/mainwp/index.php which is 0 bytes. We can download
it with the following request.