CVE-2015-6668 - Job Manager IDOR

RustSecurity

Repository

A small Rust CLI that reproduces the information-disclosure pattern associated with CVE-2015-6668 (Job Manager <= 0.7.25). The tool enumerates typical WordPress upload paths for given years, months and common file extensions to detect publicly accessible files that may indicate an insecure direct object reference (IDOR) / insecure file exposure.

Vulnerability Overview

CVE-2015-6668 affects Job Manager (<= 0.7.25). The vulnerability allows an attacker to enumerate or access uploaded files (attachments) due to insufficient access controls on user-uploaded resources. In practice this can expose sensitive documents, images or scripts that were expected to be private.

Technical Details

  • Target: Job Manager installations using predictable upload directories (e.g. /wp-content/uploads/<year>/<month>/filename.ext).
  • Attack pattern: brute-force / enumerate common year/month folders and filename variants to locate accessible files.
  • Indicators: HTTP 200 responses for constructed URLs indicate a publicly reachable file.
  • This tool performs simple GET requests and reports the first discovered public file (by default).

Description

The vulnerability stems from weak access control on uploaded content. If an application stores files in predictable public locations without proper authorization checks, an attacker can enumerate likely file paths and retrieve files directly via HTTP. The exploit vector is essentially an informed crawler that constructs possible upload URLs (year/month/file.ext) and checks for a 200 OK response.

Usage

Build the project (Rust and Cargo are required):

cargo run -- -u http://target.com -f <file-name>

Run the command. Required arguments:

  • -u, --url : base URL of the target (e.g. http://example.com).
  • -f, --filename : filename to search for (spaces will be replaced with -).

Optional:

  • --start-year : start year for enumeration (default: 2014).
  • --end-year : end year for enumeration (default: current year).

Notes:

  • The tool stops and exits immediately when the first file is found and prints the URL.
  • The request User-Agent is set to mimic a modern Chrome browser by default.

Disclaimer

This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.

Tags

cve-2015-6668

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-03