lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000601cda7f2$06fe0f50$14fa2df0$@gmail.com>
Date: Thu, 11 Oct 2012 21:50:18 +0100
From: Scott Herbert <scott.a.herbert@...glemail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Wordpress plugin abtest vulnerable to a directory
	traversal attack

-------------------------
Affected products:
-------------------------

Product : 		wordpress
Plugin in name : 	abtest
File name : 		abtest_admin.php

----------
Details:
----------

The file abtest_admin.php of the plugin abtest is vulnerable to a Directory
traversal attack (see
http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose
sensitive information to unauthorised third parties.

Example code:
http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../.
./../../../../../etc/passwd%00

--------------------
Suggested fix:
--------------------

preferably amend line 4 of abtest_admin.php to include a switch statement
ensuring $_GET['action'] is safe i.e.
switch ($_GET['action']) {
case "add_goal":
case "add_ip_filter":
..>8.. cut for space ..8<...
case "tabs":
    include 'admin/' . $_GET['action'] . '.php';
    break;
default:
    echo "oh... something wrong...";
}

Or at least remove all non-alpha and underscores from $_GET['action'] prior
to the include statement.

------------
Timeline:
------------

11-Sept-2012 Author, Wordpress
12-Sept-2012 Wordpress pulled the plugin
11-Oct-2012 No contact from the vendor. Vulnerability made public via my
blog and the full disclosure email list.

--
Scott Herbert
http://blog.scott-herbert.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ