Full Disclosure mailing list archives
Re: Full Path Disclosure in most wordpress' plugins [?]
From: "Fernando A. Lagos B." <fernando () zerial org>
Date: Mon, 28 Sep 2009 16:30:18 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 majinboo wrote:
Hello,
Hi
this kind of "vulnerabilities" exists whenever a PHP scripts issue a fatal error on a poorly configured server. PHP should log errors in a local file and not on the client screen. With this configuration, you will not see a full path disclosure in each uncatched PHP exception. IMHO the security weakness is on the php.ini and not on the web application.
The most of Full Path Disclosure are triggered by a Warning, Fatal Error or Notice message from PHP. This problem is a problem into the developer side. Each developer must validate incoming parameters (by GET or POST), function calls, file opening, sql queries, etc. If you see the rest of code (example in hello.php) each function call is validated by "if (function_exists(...))" but "add_action()" not. All plugins (wordpress, joomla, etc etc) must be validated and correctly parsed, I can't call to "function()" if "function()" not exists (in the api context). What do you think about?
cheers,
cheers!
majinboo 2009/9/28 Fernando A. Lagos B. <fernando () zerial org <mailto:fernando () zerial org>> Exists an call to add_action() without validate with function_exists(). When I run the php script directly, I get the full path of wp installation. Example: [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php [+] http://www.marco2010.cl/wp-content/plugins/hello.php Is a bug? Is a feature? More details posted in my blog: http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/ (spanish) cheers.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Fernando A. Lagos Berardi - Zerial Desarrollador y Programador Web Seguridad Informatica Linux User #382319 Blog: http://blog.zerial.org Skype: erzerial Jabber: zerial () jabberes org GTalk && MSN: fernando () zerial org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrBHNoACgkQIP17Kywx9JQzCgCdHu3d4cwAi2tpPeqyy1PVbpNj eQsAn2xjhAFNoUIZuTsX+Haxo4Ydgns6 =fzpB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Fernando A. Lagos B. (Sep 28)
- Re: Full Path Disclosure in most wordpress' plugins [?] Jan G.B. (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Loaden (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Peter Bruderer (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 29)
- Re: Full Path Disclosure in most wordpress' plugins [?] Glafkos Charalambous (Sep 30)
- Re: Full Path Disclosure in most wordpress' plugins [?] James Matthews (Sep 30)
- Re: Full Path Disclosure in most wordpress' plugins [?] majinboo (Sep 28)