Re: HTB22905: Path disclosure in Wordpress

[Christian Sciberras <uuf6429 () gmail com>]

By the way, I didn't see this mentioned anywhere (yet); since there
are so many unprotected files, one can easily detect the wordpress
version by comparing error line numbers.





On Wed, Mar 30, 2011 at 4:39 PM, Christian Sciberras <uuf6429 () gmail com> wrote:
> With regards to the recent bugtrack advisory on WordPress DFA:
>
> Re: HTB22905: Path disclosure in Wordpress
>
> --------------------------------------------------------
>
> Ridiculous! I've been talking about this for some time, the actual
> list of vulnerable files follows:
>
> wp-admin\admin-functions.php
> wp-admin\includes\admin.php
> wp-admin\includes\class-ftp-pure.php
> wp-admin\includes\class-ftp-sockets.php
> wp-admin\includes\class-wp-filesystem-direct.php
> wp-admin\includes\class-wp-filesystem-ftpext.php
> wp-admin\includes\class-wp-filesystem-ftpsockets.php
> wp-admin\includes\class-wp-filesystem-ssh2.php
> wp-admin\includes\comment.php
> wp-admin\includes\continents-cities.php
> wp-admin\includes\file.php
> wp-admin\includes\media.php
> wp-admin\includes\misc.php
> wp-admin\includes\ms.php
> wp-admin\includes\nav-menu.php
> wp-admin\includes\plugin-install.php
> wp-admin\includes\plugin.php
> wp-admin\includes\schema.php
> wp-admin\includes\template.php
> wp-admin\includes\theme-install.php
> wp-admin\includes\update.php
> wp-admin\includes\upgrade.php
> wp-admin\includes\user.php
> wp-admin\maint\repair.php
> wp-admin\menu-header.php
> wp-admin\menu.php
> wp-admin\options-head.php
> wp-admin\upgrade-functions.php
> wp-config.php
> wp-content\themes\twentyten\404.php
> wp-content\themes\twentyten\archive.php
> wp-content\themes\twentyten\attachment.php
> wp-content\themes\twentyten\author.php
> wp-content\themes\twentyten\category.php
> wp-content\themes\twentyten\comments.php
> wp-content\themes\twentyten\footer.php
> wp-content\themes\twentyten\functions.php
> wp-content\themes\twentyten\header.php
> wp-content\themes\twentyten\loop.php
> wp-content\themes\twentyten\onecolumn-page.php
> wp-content\themes\twentyten\page.php
> wp-content\themes\twentyten\search.php
> wp-content\themes\twentyten\sidebar-footer.php
> wp-content\themes\twentyten\sidebar.php
> wp-content\themes\twentyten\single.php
> wp-content\themes\twentyten\tag.php
> wp-includes\Text\Diff\Engine\native.php
> wp-includes\Text\Diff\Engine\string.php
> wp-includes\Text\Diff\Engine\xdiff.php
> wp-includes\Text\Diff\Renderer\inline.php
> wp-includes\Text\Diff\Renderer.php
> wp-includes\Text\Diff.php
> wp-includes\cache.php
> wp-includes\canonical.php
> wp-includes\class-feed.php
> wp-includes\class-simplepie.php
> wp-includes\class-snoopy.php
> wp-includes\class.wp-scripts.php
> wp-includes\class.wp-styles.php
> wp-includes\classes.php
> wp-includes\comment-template.php
> wp-includes\default-embeds.php
> wp-includes\default-filters.php
> wp-includes\default-widgets.php
> wp-includes\feed-atom-comments.php
> wp-includes\feed-atom.php
> wp-includes\feed-rdf.php
> wp-includes\feed-rss.php
> wp-includes\feed-rss2-comments.php
> wp-includes\feed-rss2.php
> wp-includes\general-template.php
> wp-includes\js\tinymce\langs\wp-langs.php
> wp-includes\js\tinymce\plugins\spellchecker\classes\EnchantSpell.php
> wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php
> wp-includes\js\tinymce\plugins\spellchecker\classes\PSpell.php
> wp-includes\js\tinymce\plugins\spellchecker\classes\PSpellShell.php
> wp-includes\js\tinymce\plugins\spellchecker\config.php
> wp-includes\js\tinymce\wp-mce-help.php
> wp-includes\kses.php
> wp-includes\l10n.php
> wp-includes\media.php
> wp-includes\ms-default-constants.php
> wp-includes\ms-default-filters.php
> wp-includes\ms-functions.php
> wp-includes\ms-settings.php
> wp-includes\nav-menu-template.php
> wp-includes\post.php
> wp-includes\query.php
> wp-includes\registration-functions.php
> wp-includes\rss-functions.php
> wp-includes\rss.php
> wp-includes\script-loader.php
> wp-includes\shortcodes.php
> wp-includes\taxonomy.php
> wp-includes\template-loader.php
> wp-includes\theme-compat\comments-popup.php
> wp-includes\theme-compat\comments.php
> wp-includes\theme-compat\footer.php
> wp-includes\theme-compat\header.php
> wp-includes\theme-compat\sidebar.php
> wp-includes\theme.php
> wp-includes\update.php
> wp-includes\user.php
> wp-includes\vars.php
> wp-includes\widgets.php
> wp-includes\wp-db.php
> wp-includes\wp-diff.php
> wp-settings.php
>
> That's some 30%-40% of all Wordpress files (depending on Wordpress install).
>
> I considered publishing this formally but...
>
> http://codex.wordpress.org/Security_FAQ
> See the 5th clause.
>
> If they can't be bothered with proper coding practices, I won't bother
> arguing what the meaning behind "optimal security" is either.
> For the record, keep in mind that hiding the said errors from output
> still doesn't stop them from being logged in the infamous error_log,
> which of course can be fixed by (un)setting yet another config.
>
> Seems useless to point out that security is about not shooting at your
> own feet as opposed to doing so and mending them later on.
>
> EOR
>
> Chris.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/