Full Disclosure mailing list archives

By Date By Thread Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server (WordPress plugin) From: dxw Security <security () dxw com>

Date: Mon, 12 Oct 2015 11:09:45 +0000

Details ================ Software: JM Twitter Cards Version: 6.0 Homepage: https://wordpress.org/plugins/jm-twitter-cards Advisory report: https://security.dxw.com/advisories/full-path-disclosure-vulnerability-in-jm-twitter-cards-reveals-the-location-of-the-wordpress-installation-on-the-server/ CVE: Awaiting assignment CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N) Description ================ Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server Vulnerability ================ This plugin contains a Full Path Disclosure vulnerability (CWE-200). This allows an attacker to discover the full path to the WordPress installation on the server, which they could use to assist in other attacks. For this to happen, the site would have to have the ‘display_errors’ option set to true. Proof of concept ================ Turn on display_errors Request http://mydomain.com/wp-content/plugins/jm-twitter-cards/views/settings.php from a browser. The following error message will be displayed: Fatal error: Call to undefined function esc_html_e() in /path/to/installation/wp-content/plugins/jm-twitter-cards/views/settings.php on line 3 Mitigations ================ Upgrade to version 6.2 or later. If this is not possible, ensure that display_errors is turned off on a site running this plugin. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, plugins () wordpress org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2015-07-29: Discovered 2015-07-30: Reported to vendor via contact form on http://www.tweetpress.fr/contact 2015-09-17: Vendor reported fixed 2015-10-12: Published Discovered by dxw: ================ Duncan Stuart Please visit security.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server (WordPress plugin) dxw Security (Oct 13)