Wordpress plugin abtest vulnerable to a directory traversal attack

[Scott Herbert <scott.a.herbert () googlemail com>]

-------------------------
Affected products:
-------------------------

Product :               wordpress
Plugin in name :        abtest
File name :             abtest_admin.php

----------
Details:
----------

The file abtest_admin.php of the plugin abtest is vulnerable to a Directory
traversal attack (see
http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose
sensitive information to unauthorised third parties.

Example code:
http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../.
./../../../../../etc/passwd%00

--------------------
Suggested fix:
--------------------

preferably amend line 4 of abtest_admin.php to include a switch statement
ensuring $_GET['action'] is safe i.e.
switch ($_GET['action']) {
case "add_goal":
case "add_ip_filter":
..>8.. cut for space ..8<...
case "tabs":
    include 'admin/' . $_GET['action'] . '.php';
    break;
default:
    echo "oh... something wrong...";
}

Or at least remove all non-alpha and underscores from $_GET['action'] prior
to the include statement.

------------
Timeline:
------------

11-Sept-2012 Author, Wordpress
12-Sept-2012 Wordpress pulled the plugin
11-Oct-2012 No contact from the vendor. Vulnerability made public via my
blog and the full disclosure email list.

--
Scott Herbert
http://blog.scott-herbert.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/