The WordPress Abtest plugin suffers from a directory traversal vulnerability.
6dc4803404fba35aadcaea0bf00d71b7fbd232c6e8c86681b1e45ec676a5c7f3-------------------------
Affected products:
-------------------------
Product : wordpress
Plugin in name : abtest
File name : abtest_admin.php
----------
Details:
----------
The file abtest_admin.php of the plugin abtest is vulnerable to a Directory
traversal attack (see
http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose
sensitive information to unauthorised third parties.
Example code:
http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../.
./../../../../../etc/passwd%00
--------------------
Suggested fix:
--------------------
preferably amend line 4 of abtest_admin.php to include a switch statement
ensuring $_GET['action'] is safe i.e.
switch ($_GET['action']) {
case "add_goal":
case "add_ip_filter":
..>8.. cut for space ..8<...
case "tabs":
include 'admin/' . $_GET['action'] . '.php';
break;
default:
echo "oh... something wrong...";
}
Or at least remove all non-alpha and underscores from $_GET['action'] prior
to the include statement.
------------
Timeline:
------------
11-Sept-2012 Author, Wordpress
12-Sept-2012 Wordpress pulled the plugin
11-Oct-2012 No contact from the vendor. Vulnerability made public via my
blog and the full disclosure email list.
--
Scott Herbert
http://blog.scott-herbert.com/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed