lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AFED97E.4070209@zerial.org> Date: Sat, 14 Nov 2009 13:23:26 -0300 From: "Zerial." <fernando@...ial.org> To: Victor Antonio Torre Villahoz <vtorre@...pasec.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [EquipoFraude] Full Path Disclosure in most wordpress' plugins [?] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've received an answer from security at wordpress: "We consider path disclosures a server configuration error. WordPress files don't protect against disclosing paths when directly loaded." cheers Zerial. wrote: > Victor Antonio Torre Villahoz wrote: >> This not only happens in the plugins, all files in wp-admin/import/ have >> errors like it. > >> I'm fix it using: > >> if ( defined('WP_ADMIN') or defined('WP_USE_THEMES') ){ >> ;//coninue >> } >> else{ >> die(); >> } > > > I've received an email which contains a lot of files which are > vulnerables to FPD: > > wp-admin/includes/admin.php > wp-admin/includes/class-ftp-pure.php > wp-admin/includes/class-ftp-sockets.php > wp-admin/includes/class-wp-filesystem-direct.php > wp-admin/includes/class-wp-filesystem-ftpext.php > wp-admin/includes/class-wp-filesystem-ftpsockets.php > wp-admin/includes/class-wp-filesystem-ssh2.php > wp-admin/includes/comment.php > wp-admin/includes/continents-cities.php > wp-admin/includes/file.php > wp-admin/includes/media.php > wp-admin/includes/misc.php > wp-admin/includes/plugin-install.php > wp-admin/includes/plugin.php > wp-admin/includes/schema.php > wp-admin/includes/template.php > wp-admin/includes/theme-install.php > wp-admin/includes/update.php > wp-admin/includes/upgrade.php > wp-admin/includes/user.php > > Solution: > > if ( defined('WP_ADMIN') or defined('WP_USE_THEMES') ){ > ;//coninue > } > else{ > die("Oops! Don't run this script directly, n00b"); > } > //---- or > if ( defined('ABSPATH')){ > die("Oops! Don't run this script directly, n00b"); > > >> Fernando A. Lagos B. escribió: >>> Exists an call to add_action() without validate with function_exists(). >>> When I run the php script directly, I get the full path of wp installation. >>> Example: >>> [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php >>> [+] http://www.marco2010.cl/wp-content/plugins/hello.php > >>> Is a bug? Is a feature? >>> More details posted in my blog: >>> http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/ >>> (spanish) > >>> cheers. >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > - -- Fernando A. Lagos Berardi - Zerial Desarrollador y Programador Web Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Skype: erzerial Jabber: zerial@...beres.org GTalk && MSN: fernando@...ial.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr+2X4ACgkQIP17Kywx9JTAVgCfZp287NkTTia0iQIumXxBaWXX oVwAnjLwm+7QV3Z7TmoPVz4PzLW29RV3 =ikQc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists