Title: Wordpress 3.x. X and prior-Path Disclosure/File compression sion Vulnerabilities.
Author: Dark-Puzzle (Souhail Hammou)
Affected Versions: All versions are available
Developer: www.wordpress.com
Test Platform: Windows XP SP3-Fr & Backtrack 5 R3.
# Greetings: Inj3ct0rs-Offensive Security-Security Focus-Packetstorm Security.
######################################## ######################################## #####
All Versions of Wordpress are prone to a Full path disclosure vulnerability, because of a get_header () function or the include function in PHP.
The Vulnerable line is in the theme's index. php that Callan undefined function while executing from the main directory of themes.
######################################## ######################################## #####
Why is that happening ??
The reason why the fatal error including the full path pops up is that the script was enabled to call header. php in the theme's directory, so wordpress made a technique to call wp-nodes des/theme-compat/header. php when no compatible
Header is found. but in our case we will not be redirected because actually the header. php is figuring in the same theme File. so, What is really happening is that we are calling header. php directly from the its source
Directory so this will make a confusion because the theme is not called from the home page (http://www.example.com) But called from its location (http://www.example.com/wp-content/themes/theme/index.php)
This exploit is working on all themes that I tested it with, So I decided to globe it for Wordpress, So that wocould be a challenge to fix this error.
Keep in mind that this vulnerability exists in all Wordpress Themes installed directly without a manual script editing, if it's not working on a website We're re coming for that in the end of this file.
######################################## ######################################## #####
The Danger:
** Get_header () error shows the full path giving this error:
Fatal error: Call to undefined function get_header () in C: \ AppServ \ www \ wordpress \ wp-content \ themes \ twentyten \ index. php on line 16
OK, we ''ve got the full path now.
The Problem is, if the function include was used instead of get_header () and we will call the index from its source it will give us a function. include error.
Which can lead the attacker to a Remote File transfer sion Vulnerability or a Local File transfer sion Vulnerability.
It is real that the probabilities to find an authorization sion vulnerability are very tiny but this can be really happen if you find a valid parameter which varies from a theme to another.
##################
Example: (Phiworx Theme)
File:/wp-content/themes/phiworx/index. php
----- Cut ------
<? Php include (TEMPLATEPATH. "/header. php");?>
----- Cut ------
So when this line is executed the script fails to recognize The PATH so it is showing up a function. include error.
In fact this script shocould be edited by the user and put the complete directory of the header file. but when the theme is installed using the wp-admin method...
And attached to the default index page this wocould not cause any problem when requesting it from www.example.com/index.php that's why the error is still showing up
When going to the/themes dir.
And this is what we will show up when requesting the page www.website.com/wp-content/themes/phiworx /:
Warning: www.2cto.com include (TEMPLATEPATH/header. php) [function. include]: failed to open stream: No such file or directory in/home/dark/public_html/rows on line 7
And if we cocould find a valid parameter like ''id'', ''pid '', ''cat'' in the index. php or any other file showing this error we will be able to include for sure, taking in consideration PHP Version and Server/Website Restrictions.
###################
So Every Theme That you will install or try to be vulnerable.
BUT trying this vulnerability in some websites will fail with you, Why?
Simply because some websites forbid the access on wp-content file because an attacker can list a theme directory for example.
So it will affect our exploitation too.
For example in my team website I installed Doover Theme but when you will try to disclosure the path or try an appointment sion
The page will be redirected to an error page:
Http://datasec.x90x.net/wp-content/themes/doover/
#####################
Solution: How did you do that and How Can I Protect My Self ??
It's Simple I wrote. htaccess script for you, go to your Cpanel --> File Manager --> Go to wp-content Directory ---> create. htaccess file and write the following lines.
################. Htaccess #########################
# This Line is used to redirect into an inexisting directory which shows the error instead of showing "403 Forbidden"
ErrorDocument 403/
Order Allow, Deny
Deny from all
# The following extensions are allowed, add extension as you like. P.S :( Avoid PHP)
<Files ~ ". (Css | jpeg | png | gif | js) $">
Allow from all
</Files>
################. Htaccess #########################
Who doesn' t believe that. htaccess is powerful = )?
#####################
Thanks for you attention, Hope that all wordpress websites will fix there problem.
White Hats 4 ever.
# Datasec Team.