Khan Academy: Full Path Disclosure on [smarthistory.khanacademy.org]

2014-04-07T22:22:31
ID H1:6362
Type hackerone
Reporter gsalazar
Modified 2014-04-11T19:03:04

Description

Hello, I have found a full path disclosure on a website that runs a wordpress installation. There isn't much to explain about this bug, as it's pretty self explanatory. What an attack can do with this bug is identify the full path, and the user the site is running under. If the attacker finds a vulnerability where he needs the full path, he can grab it from there.

Here's the proof of concept - http://smarthistory.khanacademy.org/blog/wp-content/plugins/podpress/getid3/write.php

To mitigate this vulnerability, either fix the syntax error, or remove the file if it is not necessary anymore after evaluation.

Thank you.