Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Sat, 30 Nov 2013 21:19:43 +0100

Although I do not agree with this point, WordPress's stance on this is:

"Why are there path disclosures when directly loading certain files?
This is considered a server configuration problem. Never enable
display_errors on a production site." -
http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F

WordPress do not consider this a security bug and instead a configuration
problem. They will not fix any and therefor WordPress is absolutely full of
FPD issues.

I did some research back in 2011 and found that the first version of
WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at
the time of the research (3.2.1) had 155 FDPs -
http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/

Here is every FPD issue I identified from version 0.71-gold to version
3.2.1 - http://ethicalhack3r.co.uk/files/misc/wp_paths.tar (I would
estimate thousands across the versions, I used YEHG's inspathx tool)

From this research I found that the "wp-includes/rss-functions.php" file is
the most consistent to give a FPD across all versions, this is the file now
used in WPScan to detect FPDs in WordPress reliably -
https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb

Until WordPress decide to start fixing them, individual FPD bugs are a
non-issue.


On Sat, Nov 30, 2013 at 8:44 PM, MustLive <mustlive () websecurity com ua>wrote:

Hello list!

In July I wrote about one vulnerability in WordPress, which were hiddenly
fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are
new ones.

These are hiddenly fixed vulnerabilities in such versions of WordPress as
3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to
decrease official number of fixed holes. Which is typical for them - since
2007 they often hide fixed vulnerabilities.

As I wrote in September (http://websecurity.com.ua/6795/), there are 9
FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not
mentioned in announcement, only mentioned in Codex (as "bugs"). Even there
were cases, when WP developers wrote about fixed FPD in official
announcements.

Full path disclosure (WASC-13):

In Media Library if an attachment parent does not exist.
In function parent_dropdown().
In function wp_new_comment().
In function mb_internal_encoding().
At processing of image metadata.
In function get_post_type_archive_feed_link().
In function WP_Image_Editor::multi_resize().
In function wp_generate_attachment_metadata().
At deleting or restoring an item that no longer exists.

Vulnerable are WordPress 3.5.2 and previous versions.

As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD
vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not
mentioned in announcement or Codex. Even there were cases, when WP
developers wrote about fixed FPD in official announcements.

Full path disclosure (WASC-13):

In function get_allowed_mime_types().
In function set_url_scheme().
In function comment_form().

Vulnerable are WordPress 3.6 and previous versions.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]