Vulnerability in HD FLV Player

Reported by Sucuri, the HD FLV Player suffers of an Arbitrary File Download vulnerability which is of course considered critical.

The vulnerable code can be found in download.php:

$filename = $_GET['f'];
header('Content-disposition: attachment; filename='.basename($filename));

Since there is absolutly no check nor filter applied before using the f parameter passed in the url, this is the perfect backdoor to get almost any file you want on the machine (depending of the right of the user the server is running). No matter the plugin is enable or not, you simply need to run the install to be exposed.

Here is a POC on my local Wordpress (same result might append with Joomla):

hd flv player wordpress poc

The wierd thing is that the Wordpress and Joomla plugins have been patched but not the archive on HD FLV Player official website, leaving custom installations vulnerable.

Note: As Sucuri said, email.php should be considered too but the vulnerability is little more tricky.