Re: Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1

[Ryan Dewhurst <ryandewhurst () gmail com>]

Although I do not agree with this point, WordPress's stance on this is:

"Why are there path disclosures when directly loading certain files?
This is considered a server configuration problem. Never enable
display_errors on a production site." -
http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F

WordPress do not consider this a security bug and instead a configuration
problem. They will not fix any and therefor WordPress is absolutely full of
FPD issues.

I did some research back in 2011 and found that the first version of
WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at
the time of the research (3.2.1) had 155 FDPs -
http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/

Here is every FPD issue I identified from version 0.71-gold to version
3.2.1 - http://ethicalhack3r.co.uk/files/misc/wp_paths.tar (I would
estimate thousands across the versions, I used YEHG's inspathx tool)

> From this research I found that the "wp-includes/rss-functions.php" file is
the most consistent to give a FPD across all versions, this is the file now
used in WPScan to detect FPDs in WordPress reliably -
https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb

Until WordPress decide to start fixing them, individual FPD bugs are a
non-issue.


On Sat, Nov 30, 2013 at 8:44 PM, MustLive <mustlive () websecurity com ua>wrote:

> Hello list!
>
> In July I wrote about one vulnerability in WordPress, which were hiddenly
> fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are
> new ones.
>
> These are hiddenly fixed vulnerabilities in such versions of WordPress as
> 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to
> decrease official number of fixed holes. Which is typical for them - since
> 2007 they often hide fixed vulnerabilities.
>
> As I wrote in September (http://websecurity.com.ua/6795/), there are 9
> FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not
> mentioned in announcement, only mentioned in Codex (as "bugs"). Even there
> were cases, when WP developers wrote about fixed FPD in official
> announcements.
>
> Full path disclosure (WASC-13):
>
> In Media Library if an attachment parent does not exist.
> In function parent_dropdown().
> In function wp_new_comment().
> In function mb_internal_encoding().
> At processing of image metadata.
> In function get_post_type_archive_feed_link().
> In function WP_Image_Editor::multi_resize().
> In function wp_generate_attachment_metadata().
> At deleting or restoring an item that no longer exists.
>
> Vulnerable are WordPress 3.5.2 and previous versions.
>
> As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD
> vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not
> mentioned in announcement or Codex. Even there were cases, when WP
> developers wrote about fixed FPD in official announcements.
>
> Full path disclosure (WASC-13):
>
> In function get_allowed_mime_types().
> In function set_url_scheme().
> In function comment_form().
>
> Vulnerable are WordPress 3.6 and previous versions.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/