Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Wordpress plugin abtest vulnerable to a directory traversal attack
From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Thu, 11 Oct 2012 21:50:18 +0100

Affected products:

Product :               wordpress
Plugin in name :        abtest
File name :             abtest_admin.php


The file abtest_admin.php of the plugin abtest is vulnerable to a Directory
traversal attack (see
http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose
sensitive information to unauthorised third parties.

Example code:

Suggested fix:

preferably amend line 4 of abtest_admin.php to include a switch statement
ensuring $_GET['action'] is safe i.e.
switch ($_GET['action']) {
case "add_goal":
case "add_ip_filter":
..>8.. cut for space ..8<...
case "tabs":
    include 'admin/' . $_GET['action'] . '.php';
    echo "oh... something wrong...";

Or at least remove all non-alpha and underscores from $_GET['action'] prior
to the include statement.


11-Sept-2012 Author, Wordpress
12-Sept-2012 Wordpress pulled the plugin
11-Oct-2012 No contact from the vendor. Vulnerability made public via my
blog and the full disclosure email list.

Scott Herbert

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Wordpress plugin abtest vulnerable to a directory traversal attack Scott Herbert (Oct 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]