Details
Affected Software: BackupWordPress
Fixed in Version: 0.4.3
Issue Type:Code Execution
Original Code: Found Here
Description
This particular bug was a remote file inclusion vulnerability in a WordPress plugin known as BackupWordPress. This particular vulnerability was actually publically disclosed on Milworm by the “Xmors Underground Team” (http://www.milw0rm.com/exploits/4593). The vulnerability,combined with the register_globals behavior in older versions of PHP allowed attackers to simply provide the “$GLOBALS['bkpwp_plugin_path']” via the URL in a GET request,supplying an attacker controlled location for the include.
The developers fixed this particular vulnerability by removing the $GLOBALS from the source.
Developers Solution
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | <?php -require_once $GLOBALS['bkpwp_plugin_path']."Archive/Predicate.php"; +require_once BKPWP_PLUGIN_PATH."Archive/Predicate.php"; require_once "MIME/Type.php"; class File_Archive_Predicate_MIME extends File_Archive_Predicate { var $mimes; function File_Archive_Predicate_MIME($mimes) { if (is_string($mimes)) { $this->mimes = explode(",",$mimes); } else { $this->mimes = $mimes; } } function isTrue(&$source) { $sourceMIME = $source->getMIME(); foreach ($this->mimes as $mime) { if (MIME_Type::isWildcard($mime)) { $result = MIME_Type::wildcardMatch($mime,$sourceMIME); } else { $result = ($mime == $sourceMIME); } if ($result !== false) { return $result; } } return false; } } ?> |
If you enjoyed this post,make sure you subscribe to my RSS feed!
[...] Comments need to be approved. So,even if this XSS was valid I would personally have to share it with my readers. In doing your homework,realize that other bugs,such as remote code execution,are WAY better. Look for those. [...]