[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTB22905: Path disclosure in Wordpress



Ridiculous! I've been talking about this for some time, the actual
list of vulnerable files follows:

wp-admin\admin-functions.php
wp-admin\includes\admin.php
wp-admin\includes\class-ftp-pure.php
wp-admin\includes\class-ftp-sockets.php
wp-admin\includes\class-wp-filesystem-direct.php
wp-admin\includes\class-wp-filesystem-ftpext.php
wp-admin\includes\class-wp-filesystem-ftpsockets.php
wp-admin\includes\class-wp-filesystem-ssh2.php
wp-admin\includes\comment.php
wp-admin\includes\continents-cities.php
wp-admin\includes\file.php
wp-admin\includes\media.php
wp-admin\includes\misc.php
wp-admin\includes\ms.php
wp-admin\includes\nav-menu.php
wp-admin\includes\plugin-install.php
wp-admin\includes\plugin.php
wp-admin\includes\schema.php
wp-admin\includes\template.php
wp-admin\includes\theme-install.php
wp-admin\includes\update.php
wp-admin\includes\upgrade.php
wp-admin\includes\user.php
wp-admin\maint\repair.php
wp-admin\menu-header.php
wp-admin\menu.php
wp-admin\options-head.php
wp-admin\upgrade-functions.php
wp-config.php
wp-content\themes\twentyten\404.php
wp-content\themes\twentyten\archive.php
wp-content\themes\twentyten\attachment.php
wp-content\themes\twentyten\author.php
wp-content\themes\twentyten\category.php
wp-content\themes\twentyten\comments.php
wp-content\themes\twentyten\footer.php
wp-content\themes\twentyten\functions.php
wp-content\themes\twentyten\header.php
wp-content\themes\twentyten\loop.php
wp-content\themes\twentyten\onecolumn-page.php
wp-content\themes\twentyten\page.php
wp-content\themes\twentyten\search.php
wp-content\themes\twentyten\sidebar-footer.php
wp-content\themes\twentyten\sidebar.php
wp-content\themes\twentyten\single.php
wp-content\themes\twentyten\tag.php
wp-includes\Text\Diff\Engine\native.php
wp-includes\Text\Diff\Engine\string.php
wp-includes\Text\Diff\Engine\xdiff.php
wp-includes\Text\Diff\Renderer\inline.php
wp-includes\Text\Diff\Renderer.php
wp-includes\Text\Diff.php
wp-includes\cache.php
wp-includes\canonical.php
wp-includes\class-feed.php
wp-includes\class-simplepie.php
wp-includes\class-snoopy.php
wp-includes\class.wp-scripts.php
wp-includes\class.wp-styles.php
wp-includes\classes.php
wp-includes\comment-template.php
wp-includes\default-embeds.php
wp-includes\default-filters.php
wp-includes\default-widgets.php
wp-includes\feed-atom-comments.php
wp-includes\feed-atom.php
wp-includes\feed-rdf.php
wp-includes\feed-rss.php
wp-includes\feed-rss2-comments.php
wp-includes\feed-rss2.php
wp-includes\general-template.php
wp-includes\js\tinymce\langs\wp-langs.php
wp-includes\js\tinymce\plugins\spellchecker\classes\EnchantSpell.php
wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php
wp-includes\js\tinymce\plugins\spellchecker\classes\PSpell.php
wp-includes\js\tinymce\plugins\spellchecker\classes\PSpellShell.php
wp-includes\js\tinymce\plugins\spellchecker\config.php
wp-includes\js\tinymce\wp-mce-help.php
wp-includes\kses.php
wp-includes\l10n.php
wp-includes\media.php
wp-includes\ms-default-constants.php
wp-includes\ms-default-filters.php
wp-includes\ms-functions.php
wp-includes\ms-settings.php
wp-includes\nav-menu-template.php
wp-includes\post.php
wp-includes\query.php
wp-includes\registration-functions.php
wp-includes\rss-functions.php
wp-includes\rss.php
wp-includes\script-loader.php
wp-includes\shortcodes.php
wp-includes\taxonomy.php
wp-includes\template-loader.php
wp-includes\theme-compat\comments-popup.php
wp-includes\theme-compat\comments.php
wp-includes\theme-compat\footer.php
wp-includes\theme-compat\header.php
wp-includes\theme-compat\sidebar.php
wp-includes\theme.php
wp-includes\update.php
wp-includes\user.php
wp-includes\vars.php
wp-includes\widgets.php
wp-includes\wp-db.php
wp-includes\wp-diff.php
wp-settings.php

That's some 30%-40% of all Wordpress files (depending on Wordpress install).

I considered making this public but...

http://codex.wordpress.org/Security_FAQ

Read the 5th clause.


Chris.





On Tue, Mar 29, 2011 at 11:55 AM, <advisory@xxxxxxxxxxx> wrote:
>
> Vulnerability ID: HTB22905
> Reference: http://www.htbridge.ch/advisory/path_disclosure_in_wordpress.html
> Product: Wordpress
> Vendor: http://wordpress.org/ ( http://wordpress.org/ )
> Vulnerable Version: 3.1
> Vendor Notification: 15 March 2011
> Vulnerability Type: Path disclosure
> Status: Not Fixed
> Risk level: Low
> Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
>
> Vulnerability Details:
> The vulnerability exists due to failure in the "/wp-includes/theme-compat/" & "/wp-content/themes/twentyten/" scripts, it's possible to generate an error that will reveal the full path of the script.
> A remote user can determine the full path to the web root directory and other potentially sensitive information.
>
> The following PoC is available:
>
> [code]
> /wp-includes/theme-compat/comments-popup.php
> /wp-includes/theme-compat/comments.php
> /wp-includes/theme-compat/footer.php
> /wp-includes/theme-compat/sidebar.php
> /wp-content/themes/twentyten/index.php
> /wp-content/themes/twentyten/404.php
> /wp-content/themes/twentyten/archive.php
> [/code]
>
>