'Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1
From:       Ryan Dewhurst <ryandewhurst () gmail ! com>
Date:       2013-11-30 20:19:43
Message-ID: CAHw3cgQn416EFd30_bao_jddtCg_q4Xt9q1ApuAXN5VLWTGhxA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Although I do not agree with this point, WordPress's stance on this is:

"Why are there path disclosures when directly loading certain files?
This is considered a server configuration problem. Never enable
display_errors on a production site." -
http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F


WordPress do not consider this a security bug and instead a configuration
problem. They will not fix any and therefor WordPress is absolutely full of
FPD issues.

I did some research back in 2011 and found that the first version of
WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at
the time of the research (3.2.1) had 155 FDPs -
http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/

Here is every FPD issue I identified from version 0.71-gold to version
3.2.1 - http://ethicalhack3r.co.uk/files/misc/wp_paths.tar (I would
estimate thousands across the versions, I used YEHG's inspathx tool)

From this research I found that the "wp-includes/rss-functions.php" file is
the most consistent to give a FPD across all versions, this is the file now
used in WPScan to detect FPDs in WordPress reliably -
https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb


Until WordPress decide to start fixing them, individual FPD bugs are a
non-issue.


On Sat, Nov 30, 2013 at 8:44 PM, MustLive <mustlive@websecurity.com.ua>wrote:

> Hello list!
> 
> In July I wrote about one vulnerability in WordPress, which were hiddenly
> fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are
> new ones.
> 
> These are hiddenly fixed vulnerabilities in such versions of WordPress as
> 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to
> decrease official number of fixed holes. Which is typical for them - since
> 2007 they often hide fixed vulnerabilities.
> 
> As I wrote in September (http://websecurity.com.ua/6795/), there are 9
> FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not
> mentioned in announcement, only mentioned in Codex (as "bugs"). Even there
> were cases, when WP developers wrote about fixed FPD in official
> announcements.
> 
> Full path disclosure (WASC-13):
> 
> In Media Library if an attachment parent does not exist.
> In function parent_dropdown().
> In function wp_new_comment().
> In function mb_internal_encoding().
> At processing of image metadata.
> In function get_post_type_archive_feed_link().
> In function WP_Image_Editor::multi_resize().
> In function wp_generate_attachment_metadata().
> At deleting or restoring an item that no longer exists.
> 
> Vulnerable are WordPress 3.5.2 and previous versions.
> 
> As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD
> vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not
> mentioned in announcement or Codex. Even there were cases, when WP
> developers wrote about fixed FPD in official announcements.
> 
> Full path disclosure (WASC-13):
> 
> In function get_allowed_mime_types().
> In function set_url_scheme().
> In function comment_form().
> 
> Vulnerable are WordPress 3.6 and previous versions.
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


[Attachment #5 (text/html)]

<div dir="ltr">Although I do not agree with this point, WordPress&#39;s stance on this \
is:<div><br></div><div>&quot;Why are there path disclosures when directly loading certain \
files?</div><div>This is considered a server configuration problem. Never enable display_errors \
on a production site.&quot; - <a \
href="http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loadi \
ng_certain_files.3F">http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F</a></div>
 <div><br></div><div>WordPress do not consider this a security bug and instead a configuration \
problem. They will not fix any and therefor WordPress is absolutely full of FPD \
issues.</div><div><br></div><div>I did some research back in 2011 and found that the first \
version of WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at the time of \
the research (3.2.1) had 155 FDPs - <a \
href="http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/">http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/</a></div>
 <div><br></div><div>Here is every FPD issue I identified from version 0.71-gold to version \
3.2.1 - <a href="http://ethicalhack3r.co.uk/files/misc/wp_paths.tar">http://ethicalhack3r.co.uk/files/misc/wp_paths.tar</a> \
(I would estimate thousands across the versions, I used YEHG&#39;s inspathx tool)</div> \
<div><br></div><div>From this research I found that the \
&quot;wp-includes/rss-functions.php&quot; file is the most consistent to give a FPD across all \
versions, this is the file now used in WPScan to detect FPDs in WordPress reliably - <a \
href="https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wps \
can/wp_target/wp_full_path_disclosure.rb">https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb \
5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb</a></div> \
<div><br></div><div>Until WordPress decide to start fixing them, individual FPD bugs are a \
non-issue.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Nov 30, \
2013 at 8:44 PM, MustLive <span dir="ltr">&lt;<a href="mailto:mustlive@websecurity.com.ua" \
target="_blank">mustlive@websecurity.com.ua</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello \
list!<br> <br>
In July I wrote about one vulnerability in WordPress, which were hiddenly fixed in version \
3.5.2 (<a href="http://securityvulns.ru/docs29555.html" \
target="_blank">http://securityvulns.ru/<u></u>docs29555.html</a>). Here are new ones.<br>

<br>
These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.6 and 3.6.1. \
Developers of WP intentionally haven&#39;t wrote about them to decrease official number of \
fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities.<br>

<br>
As I wrote in September (<a href="http://websecurity.com.ua/6795/" \
target="_blank">http://websecurity.com.ua/<u></u>6795/</a>), there are 9 FPD vulnerabilities, \
which were hiddenly fixed in WP 3.6. They were not mentioned in announcement, only mentioned in \
Codex (as &quot;bugs&quot;). Even there were cases, when WP developers wrote about fixed FPD in \
official announcements.<br>

<br>
Full path disclosure (WASC-13):<br>
<br>
In Media Library if an attachment parent does not exist.<br>
In function parent_dropdown().<br>
In function wp_new_comment().<br>
In function mb_internal_encoding().<br>
At processing of image metadata.<br>
In function get_post_type_archive_feed_<u></u>link().<br>
In function WP_Image_Editor::multi_resize(<u></u>).<br>
In function wp_generate_attachment_<u></u>metadata().<br>
At deleting or restoring an item that no longer exists.<br>
<br>
Vulnerable are WordPress 3.5.2 and previous versions.<br>
<br>
As I wrote in November (<a href="http://websecurity.com.ua/6904/" \
target="_blank">http://websecurity.com.ua/<u></u>6904/</a>), there are 3 FPD vulnerabilities, \
which were hiddenly fixed in WP 3.6.1. They were not mentioned in announcement or Codex. Even \
there were cases, when WP developers wrote about fixed FPD in official announcements.<br>

<br>
Full path disclosure (WASC-13):<br>
<br>
In function get_allowed_mime_types().<br>
In function set_url_scheme().<br>
In function comment_form().<br>
<br>
Vulnerable are WordPress 3.6 and previous versions.<br>
<br>
Best wishes &amp; regards,<br>
MustLive<br>
Administrator of Websecurity web site<br>
<a href="http://websecurity.com.ua" target="_blank">http://websecurity.com.ua</a> <br>
<br>
______________________________<u></u>_________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-<u></u>disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> </blockquote></div><br></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic