Yet Another Insecure WordPress Code

August 29, 2007

Package:- wordpress 2.2.2.zip

file:/wp-admin/admin- functions.php

function validate_file( $file, $allowed_files = '' ) {
        if ( false !== strpos( $file, './' ))
                return 1;

        if (':' == substr( $file, 1, 1 ))
                return 2;

        if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
                return 3;

        return 0;
                        }

it fails to check for the other slash() as well as for the null byte(%00) and hence the 'windows version' seems vulnerable to local file inclusion.

eg. import=…………boot.ini%00

vulnerable file:-/wp-admin/admin.php 

$importer = $_GET['import'];
        if ( ! current_user_can('import') )
                wp_die(__('You are not allowed to import.'));

        if ( validate_file($importer) ) {
                wp_die(__('Invalid importer.'));
        }

        if (! file_exists(ABSPATH . "wp-admin/import/$importer.php"))                

    wp_die(__('Cannot load importer.'));

    include(ABSPATH . "wp-admin/import/$importer.php");
 

 PS: You need admin privileges to carry out this attack and with admin privileges you can anyways install backdoor, hence this is not a vulnerability but just a demonstration of insecure coding.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback