WordPress Multiple Script Direct Request Path Disclosure

2005-05-19T14:00:25
ID OSVDB:16703
Type osvdb
Reporter Thomas Waldegger(bugtraq@morph3us.org)
Modified 2005-05-19T14:00:25

Description

Vulnerability Description

WordPress contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directly requests any one of a number of scripts that calls an unspecified function. The resulting error message will disclose the physical installation path, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 1.5.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WordPress contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directly requests any one of a number of scripts that calls an unspecified function. The resulting error message will disclose the physical installation path, resulting in a loss of confidentiality.

Manual Testing Notes

/wordpress-1.5-strayhorn/wp-content/themes/ /wordpress-1.5-strayhorn/wp-includes/ /wordpress-1.5-strayhorn/wp-admin/*

References:

Vendor URL: http://wordpress.org/ Related OSVDB ID: 16701 Related OSVDB ID: 16702 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0251.html CVE-2005-1688