Full Disclosure mailing list archives
Re: Information Leakage and Full path disclosure vulnerabilities in WordPress
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Tue, 3 Aug 2010 15:06:26 +0200
2010/8/2 MustLive <mustliveua () gmail com>:
Hello Full-Disclosure! I want to warn you about security vulnerabilities in WordPress which I published at 30.07.2010 during my Day of bugs in WordPress 2 project.
Awesome! Let's see what you got, here...
So in common case, when name of database, prefix and date are known, it'll have to do up to 1048576 combinations (folder) + up to 1000 combinations (file) = up to 1049576 combinations (full path to the file).
Wouldn't you have to multiply 104856 with 1000? So you don't have to bruteforce just 105.856 possible variations but 104.856.000...
On average it's 524788 combinations, which can be picked up quickly enough with fast Internet connection.
Nope! Actually not. Btw: Full path disclosure is basically a configuration error of the environment as no application should be allowed to print out errors on the front-end to "customers". Wordpress developers stated their opinion about that several times. But let's continue...
------------------------------ Protection against these vulnerabilities. ------------------------------ For protection it's possible to fix these Full path disclosure vulnerabilities by yourself (as others FPD in WordPress), or update plugin to last version WP-DB-Backup 2.2.2.
http://wordpress.org/extend/plugins/wp-db-backup/ Version: 2.2.2 Last Updated: 2008-12-10 Does it make sense to post advisories about very very old versions which are of no relevance at all, since the latest version is even 2 years old? What the ...
With WordPress 2.0.11 the version 1.8 of plugin is shipped. As I checked recently, Full path disclosure and other vulnerabilities were fixed in version 2.1 of the plugin. So the last version of the plugin WordPress Database Backup 2.2.2 isn't vulnerable to CSRF and Full path disclosure (and isn't vulnerable to above-mentioned Directory Traversal, Arbitrary file deletion, DoS and XSS (http://websecurity.com.ua/1676/)). But the last version of the plugin is still vulnerable to Information Leakage.
Win 3.11 has some serious flaws, too! For real!!11 omfg! Stop wasting time _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Information Leakage and Full path disclosure vulnerabilities in WordPress MustLive (Aug 02)
- Re: Information Leakage and Full path disclosure vulnerabilities in WordPress Henri Salo (Aug 03)
- Re: Information Leakage and Full path disclosure vulnerabilities in WordPress Jan G.B. (Aug 03)