[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Wordpress plugin abtest vulnerable to a directory traversal attack
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Wordpress plugin abtest vulnerable to a directory traversal attack
- From: Scott Herbert <scott.a.herbert@xxxxxxxxxxxxxx>
- Date: Thu, 11 Oct 2012 21:50:18 +0100
-------------------------
Affected products:
-------------------------
Product : wordpress
Plugin in name : abtest
File name : abtest_admin.php
----------
Details:
----------
The file abtest_admin.php of the plugin abtest is vulnerable to a Directory
traversal attack (see
http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose
sensitive information to unauthorised third parties.
Example code:
http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../.
./../../../../../etc/passwd%00
--------------------
Suggested fix:
--------------------
preferably amend line 4 of abtest_admin.php to include a switch statement
ensuring $_GET['action'] is safe i.e.
switch ($_GET['action']) {
case "add_goal":
case "add_ip_filter":
..>8.. cut for space ..8<...
case "tabs":
include 'admin/' . $_GET['action'] . '.php';
break;
default:
echo "oh... something wrong...";
}
Or at least remove all non-alpha and underscores from $_GET['action'] prior
to the include statement.
------------
Timeline:
------------
11-Sept-2012 Author, Wordpress
12-Sept-2012 Wordpress pulled the plugin
11-Oct-2012 No contact from the vendor. Vulnerability made public via my
blog and the full disclosure email list.
--
Scott Herbert
http://blog.scott-herbert.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/