[VIM] FALSE --> RE: [UNKNOWN] WordPress v2.1.3 >> remote file include~

Heinbockel, Bill heinbockel at mitre.org
Thu Apr 26 12:19:48 UTC 2007 

Looks like someone is using untested automated tools
that report the wrong issue, or is totally clueless:

>From Wordpress 2.1.3:
  $ grep -n -i require_once wp-settings.php
  100:    require_once (ABSPATH . WPINC . '/wp-db.php
  140:require_once (ABSPATH . WPINC . '/l10n.php');
  247:    require_once($locale_file);
  250:require_once(ABSPATH . WPINC . '/locale.php');

The only parameter here that *might* be vulnerable is
$local_file arount line 247:
  $locale = get_locale();
  $locale_file = ABSPATH . LANGDIR . "/$locale.php";
  if ( is_readable($locale_file) )
      require_once($locale_file);

In wp-includes/l10n.php:
  function get_locale() {
      global $locale;

      if (isset($locale))
          return apply_filters( 'locale', $locale );

      // WPLANG is defined in wp-config.
      if (defined('WPLANG'))
          $locale = WPLANG;

      if (empty($locale))
          $locale = '';

      $locale = apply_filters('locale', $locale);

      return $locale;
  }
So, if WPLANG is not defined and the $locale value is
able to bypass whatever filters are defined in apply_filters,
a PoC like "wordpress/wp-settings.php?locale=shell?" MAY work.


Other than that, everything in wp-includes/themes.php is
contained within a function declaration and
wp-includes/template-loader.php
looks be okay.


Just another incompetent vulnerability researcher posting bogus
reports. Why must PHP punish us so?
;-)


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of Noam Rathaus
>Sent: Thursday, 26 April, 2007 03:38
>To: Vulnerability Information Managers
>Subject: [VIM] [UNKNOWN] WordPress v2.1.3 >> remote file include~
>
>Hi,
>
>I am unable to confirm this, anyone?
>
>Looks fake, and untrue, wp-settings.php doesn't use anything called 
>require_once? weird
>
>----------  Forwarded Message  ----------
>
>Subject: WordPress v2.1.3 >> remote file include~
>Date: Wednesday 25 April 2007 11:17
>From: s433d_only_linux at yahoo.de
>To: bugtraq at securityfocus.com
>
>by : www.hackeraz.ir userz , saeid...
>++++++++++++++++++++++++++++++++++++
>####################################################
>#WordPress >> 2.1.3         Remote File Inclusion  #
>####################################################
>Affected Software .: WordPress >> 2.1.3            #
>Download..: http://wordpress-deutschland.org       #
>Risk ..............: high                          #
>Date .........: 25/4/2007                          #
>Found by ..........: s433d_only_linux              #
>Contact ...........: s433d_only_linux at yahoo.de     #
>Web .............: Www.hackerz.ir                  #
>special thanx ........... Ali Jasbi my beste friend#
>####################################################
>Affected File:                                     #
>wordpress/wp-settings.php	                         #
>wordpress/wp-includes/template-loader.php	         #
>wordpress/wp-includes/theme.php	                   #
>####################################################
>Exploit:
>wordpress/wp-settings.php?require_once=shell?
>wordpress/wp-includes/template-loader.php?include=shell?
>wordpress/wp-includes/theme.php?require_once=shell?
>######################################################
>
>-------------------------------------------------------
>
>-- 
>  Noam Rathaus
>  CTO
>  1616 Anderson Rd.
>  McLean, VA 22102
>  Tel: 703.286.7725 extension 105
>  Fax: 888.667.7740
>  noamr at beyondsecurity.com
>  http://www.beyondsecurity.com
>

More information about the VIM mailing list