| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Mar 2011 17:42:27 +0200 From: Christian Sciberras <uuf6429@...il.com> To: advisory@...ridge.ch Cc: bugtraq@...urityfocus.com Subject: Re: HTB22905: Path disclosure in Wordpress Ridiculous! I've been talking about this for some time, the actual list of vulnerable files follows: wp-admin\admin-functions.php wp-admin\includes\admin.php wp-admin\includes\class-ftp-pure.php wp-admin\includes\class-ftp-sockets.php wp-admin\includes\class-wp-filesystem-direct.php wp-admin\includes\class-wp-filesystem-ftpext.php wp-admin\includes\class-wp-filesystem-ftpsockets.php wp-admin\includes\class-wp-filesystem-ssh2.php wp-admin\includes\comment.php wp-admin\includes\continents-cities.php wp-admin\includes\file.php wp-admin\includes\media.php wp-admin\includes\misc.php wp-admin\includes\ms.php wp-admin\includes\nav-menu.php wp-admin\includes\plugin-install.php wp-admin\includes\plugin.php wp-admin\includes\schema.php wp-admin\includes\template.php wp-admin\includes\theme-install.php wp-admin\includes\update.php wp-admin\includes\upgrade.php wp-admin\includes\user.php wp-admin\maint\repair.php wp-admin\menu-header.php wp-admin\menu.php wp-admin\options-head.php wp-admin\upgrade-functions.php wp-config.php wp-content\themes\twentyten\404.php wp-content\themes\twentyten\archive.php wp-content\themes\twentyten\attachment.php wp-content\themes\twentyten\author.php wp-content\themes\twentyten\category.php wp-content\themes\twentyten\comments.php wp-content\themes\twentyten\footer.php wp-content\themes\twentyten\functions.php wp-content\themes\twentyten\header.php wp-content\themes\twentyten\loop.php wp-content\themes\twentyten\onecolumn-page.php wp-content\themes\twentyten\page.php wp-content\themes\twentyten\search.php wp-content\themes\twentyten\sidebar-footer.php wp-content\themes\twentyten\sidebar.php wp-content\themes\twentyten\single.php wp-content\themes\twentyten\tag.php wp-includes\Text\Diff\Engine\native.php wp-includes\Text\Diff\Engine\string.php wp-includes\Text\Diff\Engine\xdiff.php wp-includes\Text\Diff\Renderer\inline.php wp-includes\Text\Diff\Renderer.php wp-includes\Text\Diff.php wp-includes\cache.php wp-includes\canonical.php wp-includes\class-feed.php wp-includes\class-simplepie.php wp-includes\class-snoopy.php wp-includes\class.wp-scripts.php wp-includes\class.wp-styles.php wp-includes\classes.php wp-includes\comment-template.php wp-includes\default-embeds.php wp-includes\default-filters.php wp-includes\default-widgets.php wp-includes\feed-atom-comments.php wp-includes\feed-atom.php wp-includes\feed-rdf.php wp-includes\feed-rss.php wp-includes\feed-rss2-comments.php wp-includes\feed-rss2.php wp-includes\general-template.php wp-includes\js\tinymce\langs\wp-langs.php wp-includes\js\tinymce\plugins\spellchecker\classes\EnchantSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\PSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\PSpellShell.php wp-includes\js\tinymce\plugins\spellchecker\config.php wp-includes\js\tinymce\wp-mce-help.php wp-includes\kses.php wp-includes\l10n.php wp-includes\media.php wp-includes\ms-default-constants.php wp-includes\ms-default-filters.php wp-includes\ms-functions.php wp-includes\ms-settings.php wp-includes\nav-menu-template.php wp-includes\post.php wp-includes\query.php wp-includes\registration-functions.php wp-includes\rss-functions.php wp-includes\rss.php wp-includes\script-loader.php wp-includes\shortcodes.php wp-includes\taxonomy.php wp-includes\template-loader.php wp-includes\theme-compat\comments-popup.php wp-includes\theme-compat\comments.php wp-includes\theme-compat\footer.php wp-includes\theme-compat\header.php wp-includes\theme-compat\sidebar.php wp-includes\theme.php wp-includes\update.php wp-includes\user.php wp-includes\vars.php wp-includes\widgets.php wp-includes\wp-db.php wp-includes\wp-diff.php wp-settings.php That's some 30%-40% of all Wordpress files (depending on Wordpress install). I considered making this public but... http://codex.wordpress.org/Security_FAQ Read the 5th clause. Chris. On Tue, Mar 29, 2011 at 11:55 AM, <advisory@...ridge.ch> wrote: > > Vulnerability ID: HTB22905 > Reference: http://www.htbridge.ch/advisory/path_disclosure_in_wordpress.html > Product: Wordpress > Vendor: http://wordpress.org/ ( http://wordpress.org/ ) > Vulnerable Version: 3.1 > Vendor Notification: 15 March 2011 > Vulnerability Type: Path disclosure > Status: Not Fixed > Risk level: Low > Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) > > Vulnerability Details: > The vulnerability exists due to failure in the "/wp-includes/theme-compat/" & "/wp-content/themes/twentyten/" scripts, it's possible to generate an error that will reveal the full path of the script. > A remote user can determine the full path to the web root directory and other potentially sensitive information. > > The following PoC is available: > > [code] > /wp-includes/theme-compat/comments-popup.php > /wp-includes/theme-compat/comments.php > /wp-includes/theme-compat/footer.php > /wp-includes/theme-compat/sidebar.php > /wp-content/themes/twentyten/index.php > /wp-content/themes/twentyten/404.php > /wp-content/themes/twentyten/archive.php > [/code] > >
Powered by blists - more mailing lists