WP Directory Traversal Vulnerabilities
Filed Under (Advisories, WordPress) by DK on 3 January 2008

Mustlive has found a number of directory traversal vulnerabilities in WP 2.0.11 (Latest 2.0 branch). BlogSec have confirmed this in WordPress 2.3.1. WP 2.3.2 is not vulnerable.

Please note, this only affects WordPress running on MS Windows.

A directory traversal attack, means an attacker can potentially edit and view files outside of its ‘allowed’ area. Depending on how the web server has been configured, this may allow an authenticated user to view sensitive files such as wp-config, password files etc.

The problem lies in the following function:

function validate_file(..)
if (false !== strpos($file, ‘./’))

This works fine for Linux, however, MS Windows operating-systems supports backslash (.\). This means we can bypass the above check (’./’) by using (’.\’).

Proof of concept:
http://site/wp-admin/index.php?page=\..\..\.htaccess

This is fixed in WP 2.3.2 (latest version checks for ‘..’ and ‘./’).

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

alex on 3 January, 2008 at 11:22 pm #

Hmm, someone posted about this problem before:
http://www.notsosecure.com/folder2/2007/08/29/yet-another-insecure-wordpress-code/


DK on 4 January, 2008 at 10:40 am #

Alex, looks like Sid didn’t think it was serious enough to mention; however, the problem here is that authenticated users do pose a risk, especially in multi-user blogger projects.


sid on 6 January, 2008 at 9:25 pm #

I did report this to secunia, and they had the same opinion as me.:(


jonathon on 7 January, 2008 at 7:39 pm #

guess it best to stick with linux for now.


Comment
Name:
Email:
Website:
Message: