lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4AC11CDA.7020003@zerial.org>
Date: Mon, 28 Sep 2009 16:30:18 -0400
From: "Fernando A. Lagos B." <fernando@...ial.org>
To: majinboo <majinbou@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Full Path Disclosure in most wordpress'
 plugins [?]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

majinboo wrote:
> Hello,

Hi

> 
> this kind of "vulnerabilities" exists whenever a PHP scripts issue a
> fatal error on a poorly configured server. PHP should log errors in a
> local file and not on the client screen. With this configuration, you
> will not see a full path disclosure in each uncatched PHP exception.
> IMHO the security weakness is on the php.ini and not on the web application.



The most of Full Path Disclosure are triggered by a Warning, Fatal Error
or Notice message from PHP.
This problem is a problem into the developer side. Each developer must
validate incoming parameters (by GET or POST), function calls, file
opening, sql queries, etc.

If you see the rest of code (example in hello.php) each function call is
validated by "if (function_exists(...))" but "add_action()" not.

All plugins (wordpress, joomla, etc etc) must be validated and correctly
parsed, I can't call to "function()" if "function()" not exists (in the
api context).

What do you think about?

> 
> cheers,

cheers!

> 
> majinboo
> 
> 2009/9/28 Fernando A. Lagos B. <fernando@...ial.org
> <mailto:fernando@...ial.org>>
> 
> Exists an call to add_action() without validate with function_exists().
> When I run the php script directly, I get the full path of wp
> installation.
> 
> Example:
> [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php
> [+] http://www.marco2010.cl/wp-content/plugins/hello.php
> 
> 
> Is a bug? Is a feature?
> 
> More details posted in my blog:
> http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/
> (spanish)
> 
> 
> cheers.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




- --
Fernando A. Lagos Berardi - Zerial
Desarrollador y Programador Web
Seguridad Informatica
Linux User #382319
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zerial@...beres.org
GTalk && MSN: fernando@...ial.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrBHNoACgkQIP17Kywx9JQzCgCdHu3d4cwAi2tpPeqyy1PVbpNj
eQsAn2xjhAFNoUIZuTsX+Haxo4Ydgns6
=fzpB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ