Full Disclosure mailing list archives
Wordpress plugin abtest vulnerable to a directory traversal attack
From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Thu, 11 Oct 2012 21:50:18 +0100
------------------------- Affected products: ------------------------- Product : wordpress Plugin in name : abtest File name : abtest_admin.php ---------- Details: ---------- The file abtest_admin.php of the plugin abtest is vulnerable to a Directory traversal attack (see http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose sensitive information to unauthorised third parties. Example code: http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../. ./../../../../../etc/passwd%00 -------------------- Suggested fix: -------------------- preferably amend line 4 of abtest_admin.php to include a switch statement ensuring $_GET['action'] is safe i.e. switch ($_GET['action']) { case "add_goal": case "add_ip_filter": ..>8.. cut for space ..8<... case "tabs": include 'admin/' . $_GET['action'] . '.php'; break; default: echo "oh... something wrong..."; } Or at least remove all non-alpha and underscores from $_GET['action'] prior to the include statement. ------------ Timeline: ------------ 11-Sept-2012 Author, Wordpress 12-Sept-2012 Wordpress pulled the plugin 11-Oct-2012 No contact from the vendor. Vulnerability made public via my blog and the full disclosure email list. -- Scott Herbert http://blog.scott-herbert.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wordpress plugin abtest vulnerable to a directory traversal attack Scott Herbert (Oct 11)