WordPress 3.X.X ǰ汾ļ©

: WordPress 3.X.X and prior C Path Disclosure/File Inclusion Vulnerabilities.
 : Dark-Puzzle (Souhail Hammou)
  
 Ӱ汾: а汾
 : www.wordpress.com
 ƽ̨: Windows XP SP3 C Fr & Backtrack 5 R3 .
 # Greetings : Inj3ct0rs C Offensive Security C Security Focus C Packetstorm Security .
  
 #####################################################################################
 All Versions of WordPress are prone to a Full path disclosure vulnerability , because of a get_header() function or the include function in PHP .
 The Vulnerable line is in the themes index.php that calls an undefined function while executing from the main directory of themes .
 #####################################################################################
 Why is that happening ??
  
 The reason why the fatal error including the full path pops up is that the script was enabled to call header.php in the themes directory , so wordpress made a technique to call wp-includes/theme-compat/header.php when no compatible
 header is found . but in our case we will not be redirected because actually the header.php is figuring in the same theme File . So, What is really happening is that we are calling header.php directly from the its source
 directory so this will make a confusion because the theme is not called from the home page (http://www.example.com) But called from its location (http://www.example.com/wp-content/themes/theme/index.php)
 This exploit is working on all themes that I tested it with , So I decided to globe it for WordPress, So that would be a challenge to fix this error .
 Keep in mind that this vulnerability exists in all WordPress Themes installed directly without a manual script editing , if its not working on a website Were coming for that in the end of this file .
  
 #####################################################################################
 The Danger :
  
 **get_header() error shows the full path giving this error :
  
 Fatal error: Call to undefined function get_header() in C:\AppServ\www\wordpress\wp-content\themes\twentyten\index.php on line 16
  
 Ok , weve got the full path now.
  
 The Problem is , if the function include was used instead of get_header() and we will call the index from its source it will give us a function.include error .
 Which can lead the attacker to a Remote File Inclusion Vulnerability or a Local File Inclusion Vulnerability.
 It is real that the probabilities to find an inclusion vulnerability are very tiny but this can really happen if you find a valid parameter which varies from a theme to another .
  
 ##################
  
 ʾ: (Phiworx Theme)
  
 File : /wp-content/themes/phiworx/index.php
  
 CCut
 <?php include (TEMPLATEPATH . /header.php); ?>
 CCut
  
 So when this line is executed the script fails to recognize The PATH so it is showing up a function.include error .
 In fact this script should be edited by the user and put the complete directory of the header file . but when the theme is installed using the wp-admin method 
 and attached to the default index page this would not cause any problem when requesting it from www.example.com/index.php thats why the error is still showing up
 when going to the /themes dir .
  
 and this is what we will show up when requesting the page www.website.com/wp-content/themes/phiworx/ :
  
 Warning:include(TEMPLATEPATH/header.php) [function.include]: failed to open stream: No such file or directory in /home/dark/public_html/website.com/wp-content/themes/phiworx/index.php on line 7
  
 and if we could find a valid parameter like id,pid,cat in the index.php or any other file showing this error we will be able to include for sure , taking in consideration PHP Version and Server/Website Restrictions .
  
 ###################
  
  
 So Every Theme That you will install or try will be vulnerable .
  
 BUT trying this vulnerability in some websites will fail with you , Why ?
 Simply because some websites forbid the access on wp-content file because an attacker can list a theme directory for example .
 So it will affect our exploitation too .
 For example in my team website I installed Doover Theme but when you will try to disclosure the path or try an inclusion
 the page will be redirected to an error page :
  
 
http://datasec.x90x.net/wp-content/themes/doover/
 
 
 #####################
 Solution : How did you do that and How Can I Protect My Self ??
  
 Its Simple I wrote a .htaccess script for you , go to your Cpanel C> File Manager C> Go to wp-content Directory > create an .htaccess file and write the following lines .
  
 ################.htaccess#########################
 # This Line is used to redirect into an inexisting directory which shows the error instead of showing 403 Forbidden
 ErrorDocument 403 /
 Order Allow,Deny
 Deny from all
 # The following extensions are allowed , add many as you like . P.S :(Avoid PHP)
 <Files ~ .(css|jpeg|png|gif|js)$>
 Allow from all
 </Files>
 ################.htaccess#########################
 Who doesnt believe that .htaccess is powerful =) ?
 #####################
  
 Thanks for you attention , Hope that all wordpress websites will fix there problem .
  
 White Hats 4ever .
 #Datasec Team . 
