[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wordpress enable-latex plugin Remote File Include Vulnerabilities



On Wed, Nov 23, 2011 at 12:30:58PM +0000, Amir@xxxxxxxx wrote:
> a bug in Wordpress enable-latex plugin that allows to us to occur a Remote File Include on a Remote machin.
> 
> 
> 
> ################################################################################################################################
> #                                                                                                                              #
> #                           Aria Security Team - Persian Network Security                                                      #
> #                                                                                                                              #
> #                                http://Aria-Security.Com/forum/                                                               #
> #                                                                                                                              #
> ################################################################################################################################
> #                                                                                                                              #
> # Wordpress enable-latex plugin Remote File Include Vulnerabilities                                                            #
> #                                                                                                                              #
> # Download......: http://wordpress.org/extend/plugins/enable-latex/                                                            #
> #                                                                                                                              #
> # Exploit.......: http://www.site.com/[path]/wp-content/plugins/enable-latex/core.php?url=[Rfi]?                               #
> #                                                                                                                              #
> # Google Search.: "Powered by Wordpress"                                                                                       #
> #                                                                                                                              #
> ################################################################################################################################
> #                                                                                                                              #
> # Bug Found.....: Aria-Security                                                                                                #
> #                                                                                                                              #
> # discovery.....: Am!r (IrIsT?)                                                                                                #
> #                                                                                                                              #
> # contact.......: Amir[at]IrIsT.ir                                                                                             #
> #                                                                                                                              #
> # SP TNX........: The-0utl4w & A.u.r.A & B3HZ4D & m3hdi & joker_s & all IrIsT And Aria-security members                        #
> #                                                                                                                              #
> ################################################################################################################################

I have now tested this with following versions:

WordPress: 3.2.1
Enable Latex: 1.1.2

I was unable to reproduce this issue. All I received back from application: "Sorry, you are not allowed to access this file directly.", which comes from core.class.php:

   7 /* Prevent direct access to this file */
   8 if (!defined('ABSPATH')) {
   9     exit("Sorry, you are not allowed to access this file directly.");
  10 }

This was added between revisions:
"""
------------------------------------------------------------------------
r467422 | sedLex | 2011-11-25 16:13:39 +0200 (Fri, 25 Nov 2011) | 1 line

bug
------------------------------------------------------------------------
r458335 | sedLex | 2011-11-01 19:00:07 +0200 (Tue, 01 Nov 2011) | 1 line

New version
"""

With version r458335 I am unable to reproduce this issue as these PHP-files just give require_once PHP warnings. Could you please help me with this issue to identify if this is valid announcement and with what versions, thank you.

- Henri Salo