Re: WordPress Authenticated File Upload Authorisation Bypass

[Hector Marco <hecmargi () upv es>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



1.- "WordPress Authenticated File Upload Authorisation Bypass" ... where
is the "Bypass" ?
2.- "A malicious user with access to the admin panel" .. this user does
not need any more :)



El 21/06/12 17:02, Gage Bystrom escribió:
> to me it seems like hes trying to say that someone with administrative
> access has the ability to....have administrative access. Its like
> saying "Hey guys! I found a local exploit and all it requires is to be
> a root user!!!"
>
> I'm not sure if he's trolling or just stupid.
>
> On Thu, Jun 21, 2012 at 7:42 AM, Greg Knaddison
> <greg.knaddison () acquia com> wrote:
> > On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic
> > <denis.andzakovic () security-assessment com> wrote:
> > > Exploitation of this vulnerability requires a malicious user with
> > > access to the admin panel to use the
> > > "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
> > > file.
> >
> >
> > That tool is meant to allow an admin to upload arbitrary php plugins. You
> > can argue that this feature is insecure by design, but there are two
> > solutions from the WordPress perspective:
> >
> > 1) "Don't grant malicious users the permission to install plugins."
> > 2) If you don't want this feature on your site at all, this feature can be
> > disabled in the config define( 'DISALLOW_FILE_MODS', TRUE);
> >
> > By the way, two more "vulnerabilities" the theme installer has this same
> > issue and the upgrade tool could also be abused if you can poison the
DNS of
> > the server.
> >
> > Regards,
> > Greg
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP41H2AAoJEKXHFbLwCyFqezcP/jO8GwraKDBoDhtJNTnkQFjS
ZOdlKj3yT6PcKJTAGyH+a4x1HBbRHtThHC9GOQm+Fzv/NJ/BYVeL495CeMVrxR/7
tCeirDTV0ek28qZmfdJbQy41GYaI9/JScjh+K8rEby5jOurnNGR0G4LARX9n3iBC
MZOarxVkmF5nkRf1Tc+PgqIa2mLHn8j1nNvm+pRVuXYMr3eYqwfZNUsudoZ6cliu
J2SIZja6kmltO6vuKw2VxY8Tv9W6U+RdRhvAUas4L+sjOrzJQ7N8NopvaPai3tf1
ZyZ0Z0Zo0/XujhdpYp0JmhAjyQx8ftu9mkMlsrwPYH+c4q078R8iTQXo6gfvveb6
93WtWPq0WUwfbKd/AHDuTJ3IRm07XuHPYwSoylA+3ugvuDqcIWhREfL3OZCKzw64
f35qcUfaI7fpNUG1uMVnbBpoYR4YOs7BEoB6AS+0JTy4qNBpSE8S6n2GgS0OpZ3w
qm1ClygSAbcJDqkM2Tsy9z43CJFF32FUCM3irgUZyhxYRPu7axyU4tASu+TyokHu
yTpWSgboMlb8oVvX6sznHdRqbbOKQesdZU6/1ZcyIDuMC7DD5dfx4/nD2lMVC16H
QW8vG5q9E1IpfXGbrpG5lOayRuaUGgpD72whziuO7tqx+at/cTegKXQvn+qthn3f
y9DYJ+1afNMjsSFOty2y
=Q43y
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/