Full Disclosure mailing list archives
Re: Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Sat, 30 Nov 2013 21:19:43 +0100
Although I do not agree with this point, WordPress's stance on this is: "Why are there path disclosures when directly loading certain files? This is considered a server configuration problem. Never enable display_errors on a production site." - http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F WordPress do not consider this a security bug and instead a configuration problem. They will not fix any and therefor WordPress is absolutely full of FPD issues. I did some research back in 2011 and found that the first version of WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at the time of the research (3.2.1) had 155 FDPs - http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/ Here is every FPD issue I identified from version 0.71-gold to version 3.2.1 - http://ethicalhack3r.co.uk/files/misc/wp_paths.tar (I would estimate thousands across the versions, I used YEHG's inspathx tool)
From this research I found that the "wp-includes/rss-functions.php" file is
the most consistent to give a FPD across all versions, this is the file now used in WPScan to detect FPDs in WordPress reliably - https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb Until WordPress decide to start fixing them, individual FPD bugs are a non-issue. On Sat, Nov 30, 2013 at 8:44 PM, MustLive <mustlive () websecurity com ua>wrote:
Hello list! In July I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are new ones. These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities. As I wrote in September (http://websecurity.com.ua/6795/), there are 9 FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not mentioned in announcement, only mentioned in Codex (as "bugs"). Even there were cases, when WP developers wrote about fixed FPD in official announcements. Full path disclosure (WASC-13): In Media Library if an attachment parent does not exist. In function parent_dropdown(). In function wp_new_comment(). In function mb_internal_encoding(). At processing of image metadata. In function get_post_type_archive_feed_link(). In function WP_Image_Editor::multi_resize(). In function wp_generate_attachment_metadata(). At deleting or restoring an item that no longer exists. Vulnerable are WordPress 3.5.2 and previous versions. As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not mentioned in announcement or Codex. Even there were cases, when WP developers wrote about fixed FPD in official announcements. Full path disclosure (WASC-13): In function get_allowed_mime_types(). In function set_url_scheme(). In function comment_form(). Vulnerable are WordPress 3.6 and previous versions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1 MustLive (Nov 30)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1 Ryan Dewhurst (Nov 30)