Home / exploits WordPress Abtest Directory Traversal
Posted on 13 October 2012
------------------------- Affected products: ------------------------- Product : wordpress Plugin in name : abtest File name : abtest_admin.php ---------- Details: ---------- The file abtest_admin.php of the plugin abtest is vulnerable to a Directory traversal attack (see http://en.wikipedia.org/wiki/Directory_traversal_attack) which could expose sensitive information to unauthorised third parties. Example code: http://localhost/blog/wp-content/plugins/abtest/abtest_admin.php?action=../. ./../../../../../etc/passwd%00 -------------------- Suggested fix: -------------------- preferably amend line 4 of abtest_admin.php to include a switch statement ensuring $_GET['action'] is safe i.e. switch ($_GET['action']) { case "add_goal": case "add_ip_filter": ..>8.. cut for space ..8<... case "tabs": include 'admin/' . $_GET['action'] . '.php'; break; default: echo "oh... something wrong..."; } Or at least remove all non-alpha and underscores from $_GET['action'] prior to the include statement. ------------ Timeline: ------------ 11-Sept-2012 Author, Wordpress 12-Sept-2012 Wordpress pulled the plugin 11-Oct-2012 No contact from the vendor. Vulnerability made public via my blog and the full disclosure email list. -- Scott Herbert http://blog.scott-herbert.com/
