Full Disclosure mailing list archives
Re: Full Path Disclosure in most wordpress' plugins [?]
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Tue, 29 Sep 2009 15:25:48 +0200
Not that I think this is serious, but I like if, when the first thing a include file does is to check if a defined term *is* defined.<?php if (!is_defined('MY_CONFIG_VAR_GUESS_WP_HAS_SOME_TOO')) die ("NSA is watching you."); ?> Filenames can change. a definer like INCLUDE_DIR would rather not. 2009/9/29 Fernando A. Lagos B. <fernando () zerial org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glafkos Charalambous wrote:Hello,Hi Glafkos,That definitely can be fixed easily with two lines of code but is still something that should have been prevented at earlier stages of "plugin" development "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' == basename($_SERVER['SCRIPT_FILENAME'])) die ('Please do not load this page directly');"It is a simple and good fix.From the server side you can set PHP "warning" and "errors" OFF either through php.ini or PHP page itself but sometimes that's not an optionYep, if you disable the "display_errors" option on php.ini is not a good option. Setting display_erros to Off hides the problem but not fix the problem.Regards,cheersGlafkos Charalambous *From:* full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] *On Behalf Of*majinboo*Sent:* Monday, September 28, 2009 11:12 PM *To:* Fernando A. Lagos B. *Cc:* full-disclosure () lists grok org uk *Subject:* Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?] Hello, this kind of "vulnerabilities" exists whenever a PHP scripts issue a fatal error on a poorly configured server. PHP should log errors in a local file and not on the client screen. With this configuration, you will not see a full path disclosure in each uncatched PHP exception. IMHO the security weakness is on the php.ini and not on the webapplication.cheers, majinboo 2009/9/28 Fernando A. Lagos B. <fernando () zerial org <mailto:fernando () zerial org>> Exists an call to add_action() without validate with function_exists(). When I run the php script directly, I get the full path of wpinstallation.Example: [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php [+] http://www.marco2010.cl/wp-content/plugins/hello.php Is a bug? Is a feature? More details posted in my blog:http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/(spanish) cheers.- -- Fernando A. Lagos Berardi - Zerial Desarrollador y Programador Web Seguridad Informatica Linux User #382319 Blog: http://blog.zerial.org Skype: erzerial Jabber: zerial () jabberes org GTalk && MSN: fernando () zerial org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrBNAEACgkQIP17Kywx9JSxUQCaA0cXq74tzk6WA+0MABll30tT d7QAmwXjiqdNkfF28X9gvYyGmkbQcB3o =7r4O -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Jan G.B. (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Loaden (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Peter Bruderer (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 30)
- Re: Full Path Disclosure in most wordpress' plugins [?] James Matthews (Sep 30)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 28)