|
WordPress "cat" Directory Traversal Vulnerability
|
|
|
|
|
Secunia Advisory:
|
SA29949
|
|
|
Release Date:
|
2008-04-25
|
|
Last Update:
|
2008-04-30
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | WordPress 2.x
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Sandor Attila Gerendi has discovered a vulnerability in WordPress, which can potentially be exploited by malicious users to compromise a vulnerable system.
Input passed via the "cat" parameter to index.php is not properly sanitised in the "get_category_template()" function in wp-includes/theme.php before being used to include files in template-loader.php. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks.
Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.
The vulnerability is confirmed in version 2.3.3.
Solution:
Update to version 2.5.1.
Provided and/or discovered by:
Sandor Attila Gerendi
Changelog:
2008-04-30: Updated "Solution" section.
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
29 Related Secunia Security Advisories, displaying 10
|
|
|
1. WordPress PHP Code Execution and Cross-Site Scripting
|
|
2. WordPress XML-RPC Post Edit Vulnerability
|
|
3. WordPress Multiple Information Disclosure Vulnerabilities
|
|
4. WordPress GBK/Big5 Character Set "s" SQL Injection
|
|
5. WordPress Cookies Security Bypass Weakness
|
|
6. WordPress "posts_columns" Cross-Site Scripting
|
|
7. WordPress Multiple Vulnerabilities
|
|
8. WordPress "style" Cross-Site Scripting
|
|
9. WordPress Custom Field PHP Script Upload
|
|
10. WordPress XML-RPC "wp.suggestCategories" SQL Injection
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
