By the way, I didn't see this mentioned anywhere (yet); since there are so many unprotected files, one can easily detect the wordpress version by comparing error line numbers.
On Wed, Mar 30, 2011 at 4:39 PM, Christian Sciberras <[email protected]> wrote: > With regards to the recent bugtrack advisory on WordPress DFA: > > Re: HTB22905: Path disclosure in Wordpress > > -------------------------------------------------------- > > Ridiculous! I've been talking about this for some time, the actual > list of vulnerable files follows: > > wp-admin\admin-functions.php > wp-admin\includes\admin.php > wp-admin\includes\class-ftp-pure.php > wp-admin\includes\class-ftp-sockets.php > wp-admin\includes\class-wp-filesystem-direct.php > wp-admin\includes\class-wp-filesystem-ftpext.php > wp-admin\includes\class-wp-filesystem-ftpsockets.php > wp-admin\includes\class-wp-filesystem-ssh2.php > wp-admin\includes\comment.php > wp-admin\includes\continents-cities.php > wp-admin\includes\file.php > wp-admin\includes\media.php > wp-admin\includes\misc.php > wp-admin\includes\ms.php > wp-admin\includes\nav-menu.php > wp-admin\includes\plugin-install.php > wp-admin\includes\plugin.php > wp-admin\includes\schema.php > wp-admin\includes\template.php > wp-admin\includes\theme-install.php > wp-admin\includes\update.php > wp-admin\includes\upgrade.php > wp-admin\includes\user.php > wp-admin\maint\repair.php > wp-admin\menu-header.php > wp-admin\menu.php > wp-admin\options-head.php > wp-admin\upgrade-functions.php > wp-config.php > wp-content\themes\twentyten\404.php > wp-content\themes\twentyten\archive.php > wp-content\themes\twentyten\attachment.php > wp-content\themes\twentyten\author.php > wp-content\themes\twentyten\category.php > wp-content\themes\twentyten\comments.php > wp-content\themes\twentyten\footer.php > wp-content\themes\twentyten\functions.php > wp-content\themes\twentyten\header.php > wp-content\themes\twentyten\loop.php > wp-content\themes\twentyten\onecolumn-page.php > wp-content\themes\twentyten\page.php > wp-content\themes\twentyten\search.php > wp-content\themes\twentyten\sidebar-footer.php > wp-content\themes\twentyten\sidebar.php > wp-content\themes\twentyten\single.php > wp-content\themes\twentyten\tag.php > wp-includes\Text\Diff\Engine\native.php > wp-includes\Text\Diff\Engine\string.php > wp-includes\Text\Diff\Engine\xdiff.php > wp-includes\Text\Diff\Renderer\inline.php > wp-includes\Text\Diff\Renderer.php > wp-includes\Text\Diff.php > wp-includes\cache.php > wp-includes\canonical.php > wp-includes\class-feed.php > wp-includes\class-simplepie.php > wp-includes\class-snoopy.php > wp-includes\class.wp-scripts.php > wp-includes\class.wp-styles.php > wp-includes\classes.php > wp-includes\comment-template.php > wp-includes\default-embeds.php > wp-includes\default-filters.php > wp-includes\default-widgets.php > wp-includes\feed-atom-comments.php > wp-includes\feed-atom.php > wp-includes\feed-rdf.php > wp-includes\feed-rss.php > wp-includes\feed-rss2-comments.php > wp-includes\feed-rss2.php > wp-includes\general-template.php > wp-includes\js\tinymce\langs\wp-langs.php > wp-includes\js\tinymce\plugins\spellchecker\classes\EnchantSpell.php > wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php > wp-includes\js\tinymce\plugins\spellchecker\classes\PSpell.php > wp-includes\js\tinymce\plugins\spellchecker\classes\PSpellShell.php > wp-includes\js\tinymce\plugins\spellchecker\config.php > wp-includes\js\tinymce\wp-mce-help.php > wp-includes\kses.php > wp-includes\l10n.php > wp-includes\media.php > wp-includes\ms-default-constants.php > wp-includes\ms-default-filters.php > wp-includes\ms-functions.php > wp-includes\ms-settings.php > wp-includes\nav-menu-template.php > wp-includes\post.php > wp-includes\query.php > wp-includes\registration-functions.php > wp-includes\rss-functions.php > wp-includes\rss.php > wp-includes\script-loader.php > wp-includes\shortcodes.php > wp-includes\taxonomy.php > wp-includes\template-loader.php > wp-includes\theme-compat\comments-popup.php > wp-includes\theme-compat\comments.php > wp-includes\theme-compat\footer.php > wp-includes\theme-compat\header.php > wp-includes\theme-compat\sidebar.php > wp-includes\theme.php > wp-includes\update.php > wp-includes\user.php > wp-includes\vars.php > wp-includes\widgets.php > wp-includes\wp-db.php > wp-includes\wp-diff.php > wp-settings.php > > That's some 30%-40% of all Wordpress files (depending on Wordpress install). > > I considered publishing this formally but... > > http://codex.wordpress.org/Security_FAQ > See the 5th clause. > > If they can't be bothered with proper coding practices, I won't bother > arguing what the meaning behind "optimal security" is either. > For the record, keep in mind that hiding the said errors from output > still doesn't stop them from being logged in the infamous error_log, > which of course can be fixed by (un)setting yet another config. > > Seems useless to point out that security is about not shooting at your > own feet as opposed to doing so and mending them later on. > > EOR > > Chris. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
