WP Directory Traversal Vulnerabilities

Posted by DK
January 3, 2008

Mustlive has found a number of directory traversal vulnerabilities in WP 2.0.11 (Latest 2.0 branch). BlogSec have confirmed this in WordPress 2.3.1. WP 2.3.2 is not vulnerable.

Please note, this only affects WordPress running on MS Windows.

A directory traversal attack, means an attacker can potentially edit and view files outside of its ‘allowed’ area. Depending on how the web server has been configured, this may allow an authenticated user to view sensitive files such as wp-config, password files etc.

The problem lies in the following function:

function validate_file(..)
if (false !== strpos($file, ‘./’))

This works fine for Linux, however, MS Windows operating-systems supports backslash (.\). This means we can bypass the above check (’./’) by using (’.\’).

Proof of concept:
http://site/wp-admin/index.php?page=\..\..\.htaccess

This is fixed in WP 2.3.2 (latest version checks for ‘..’ and ‘./’).

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by alex on January 3, 2008 @ 11:22 pm

Hmm, someone posted about this problem before:
http://www.notsosecure.com/folder2/2007/08/29/yet-another-insecure-wordpress-code/

Comment by DK on January 4, 2008 @ 10:40 am

Alex, looks like Sid didn’t think it was serious enough to mention; however, the problem here is that authenticated users do pose a risk, especially in multi-user blogger projects.

Comment by sid on January 6, 2008 @ 9:25 pm

I did report this to secunia, and they had the same opinion as me.:(

Comment by jonathon on January 7, 2008 @ 7:39 pm

guess it best to stick with linux for now.

Leave a comment

(required)

(required)