[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HTB22905: Path disclosure in Wordpress

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HTB22905: Path disclosure in Wordpress
From: advisory@xxxxxxxxxxx
Date: Tue, 29 Mar 2011 11:55:04 +0200 (CEST)

Vulnerability ID: HTB22905
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_wordpress.html
Product: Wordpress
Vendor: http://wordpress.org/ ( http://wordpress.org/ ) 
Vulnerable Version: 3.1
Vendor Notification: 15 March 2011 
Vulnerability Type: Path disclosure
Status: Not Fixed
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/wp-includes/theme-compat/" & 
"/wp-content/themes/twentyten/" scripts, it's possible to generate an error 
that will reveal the full path of the script.
A remote user can determine the full path to the web root directory and other 
potentially sensitive information.

The following PoC is available:

[code]
/wp-includes/theme-compat/comments-popup.php    
/wp-includes/theme-compat/comments.php
/wp-includes/theme-compat/footer.php
/wp-includes/theme-compat/sidebar.php
/wp-content/themes/twentyten/index.php
/wp-content/themes/twentyten/404.php
/wp-content/themes/twentyten/archive.php
[/code]

Follow-Ups:
- Re: HTB22905: Path disclosure in Wordpress
  - From: Christian Sciberras

Prev by Date: "Simple PHP Newsletter" Remote Admin Password Change With install path
Next by Date: [SECURITY] [DSA 2205-1] gdm3 security update
Previous by thread: Re: "Simple PHP Newsletter" Remote Admin Password Change With install path
Next by thread: Re: HTB22905: Path disclosure in Wordpress
Index(es):
- Date
- Thread