Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Information Leakage and Full path disclosure vulnerabilities in WordPress

From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Tue, 3 Aug 2010 15:06:26 +0200
2010/8/2 MustLive <mustliveua () gmail com>:

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in WordPress which I
published at 30.07.2010 during my Day of bugs in WordPress 2 project.



Awesome! Let's see what you got, here...



So in common case, when name of database, prefix and date are known, it'll
have to do up to 1048576 combinations (folder) + up to 1000 combinations
(file) = up to 1049576 combinations (full path to the file).


Wouldn't you have to multiply 104856 with 1000? So you don't have to
bruteforce just 105.856 possible variations but 104.856.000...


On average it's
524788 combinations, which can be picked up quickly enough with fast
Internet connection.


Nope! Actually not.


Btw: Full path disclosure is basically a configuration error of the
environment as no application should be allowed to print out errors on
the front-end to "customers". Wordpress developers stated their
opinion about that several times.
But let's continue...





------------------------------
Protection against these vulnerabilities.
------------------------------

For protection it's possible to fix these Full path disclosure
vulnerabilities by yourself (as others FPD in WordPress), or update plugin
to last version WP-DB-Backup 2.2.2.


http://wordpress.org/extend/plugins/wp-db-backup/
Version: 2.2.2
Last Updated: 2008-12-10

Does it make sense to post advisories about very very old versions
which are of no relevance at all, since the latest version is even 2
years old?
What the ...




With WordPress 2.0.11 the version 1.8 of plugin is shipped. As I checked
recently, Full path disclosure and other vulnerabilities were fixed in
version 2.1 of the plugin. So the last version of the plugin WordPress
Database Backup 2.2.2 isn't vulnerable to CSRF and Full path disclosure (and
isn't vulnerable to above-mentioned Directory Traversal, Arbitrary file
deletion, DoS and XSS (http://websecurity.com.ua/1676/)). But the last
version of the plugin is still vulnerable to Information Leakage.



Win 3.11 has some serious flaws, too! For real!!11 omfg!

Stop wasting time

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: