[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wordpress enable-latex plugin Remote File Include Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Wordpress enable-latex plugin Remote File Include Vulnerabilities
- From: Henri Salo <henri@xxxxxxx>
- Date: Wed, 30 Nov 2011 23:40:40 +0200
On Wed, Nov 23, 2011 at 12:30:58PM +0000, Amir@xxxxxxxx wrote:
> a bug in Wordpress enable-latex plugin that allows to us to occur a Remote
> File Include on a Remote machin.
>
>
>
> ################################################################################################################################
> #
> #
> # Aria Security Team - Persian Network Security
> #
> #
> #
> # http://Aria-Security.Com/forum/
> #
> #
> #
> ################################################################################################################################
> #
> #
> # Wordpress enable-latex plugin Remote File Include Vulnerabilities
> #
> #
> #
> # Download......: http://wordpress.org/extend/plugins/enable-latex/
> #
> #
> #
> # Exploit.......:
> http://www.site.com/[path]/wp-content/plugins/enable-latex/core.php?url=[Rfi]?
> #
> #
> #
> # Google Search.: "Powered by Wordpress"
> #
> #
> #
> ################################################################################################################################
> #
> #
> # Bug Found.....: Aria-Security
> #
> #
> #
> # discovery.....: Am!r (IrIsT?)
> #
> #
> #
> # contact.......: Amir[at]IrIsT.ir
> #
> #
> #
> # SP TNX........: The-0utl4w & A.u.r.A & B3HZ4D & m3hdi & joker_s & all IrIsT
> And Aria-security members #
> #
> #
> ################################################################################################################################
I have now tested this with following versions:
WordPress: 3.2.1
Enable Latex: 1.1.2
I was unable to reproduce this issue. All I received back from application:
"Sorry, you are not allowed to access this file directly.", which comes from
core.class.php:
7 /* Prevent direct access to this file */
8 if (!defined('ABSPATH')) {
9 exit("Sorry, you are not allowed to access this file directly.");
10 }
This was added between revisions:
"""
------------------------------------------------------------------------
r467422 | sedLex | 2011-11-25 16:13:39 +0200 (Fri, 25 Nov 2011) | 1 line
bug
------------------------------------------------------------------------
r458335 | sedLex | 2011-11-01 19:00:07 +0200 (Tue, 01 Nov 2011) | 1 line
New version
"""
With version r458335 I am unable to reproduce this issue as these PHP-files
just give require_once PHP warnings. Could you please help me with this issue
to identify if this is valid announcement and with what versions, thank you.
- Henri Salo