WordPress Sniplets Vulnerabilities

Written by Jeffro On February 28, 2008 | Category Of Post (wordpress) | 261 views |

This is one of the few HIGHLY CRITICAL security bulletins I’ve seen. The security firm NBBN has discovered some vulnerabilities within the WordPress Sniplets plugin which could be exploited to conduct cross-site scripting attacks, disclose sensitive information, or compromise a vulnerable system.

The security bulletin outlines the following configurations in which this plugin can be exploited:

1) Input passed to the “libpath” parameter in modules/syntax_highlight.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation of this vulnerability requires that “register_globals” is enabled.

2) Input passed to the “text” parameter in modules/execute.php is not properly sanitised before being used in a call to “eval()”. This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter value.

Successful exploitation of this vulnerability requires that “register_globals” is enabled.

3) Input passed to the “page” parameter in view/admin/pager.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

4) Input passed to the “text” parameter in view/sniplets/warning.php, view/sniplets/notice.php, view/sniplets/inset.php, and modules/execute.php and “url” in view/admin/submenu.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Successful exploitation of this vulnerability requires that “register_globals” is enabled

Version 1.2.2 has been confirmed to contain these security problems as 1.2.2 happens to be the most current release of the software. The solution to this problem is to either edit the source code to ensure that input is properly verified and sanitized or, disable the plugin until an update has been released.

It appears as though people are already actively exploiting this plugin as Flopping Aces describes on his website.

Check Out These Related Posts

WordPress Weekly Episode 8

WordPress Releases 2.2.1

I See Your WordPress Plugins

Lorelle On WordPress Weekly

WordPress Podcast Episode 38 Released

This Post Was Tagged With:

Print This Post

Enable CommentLuv which will try and parse your last blog post, please be patient while it finds it for you

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

Name:
Email:
URL:
Your Comment:

WP Weekly
Cool Stuff
Reviews

Final Episode Of WPWeekly

Here it is. The final episode of WordPress Weekly where I interviewed Alex King for about an hour. We discussed all sorts of things related to WordPress such as plugin development, themes, his plugins, trends online, why WordPress is so popular, comparisons between Drupal and WordPress and last but not least, ...

[Read more..]

A Web2.0 Perspective Of The World

Every now and then, something very cool passes through the noise and this is one of those things. It's called the Web 2.0 World Mosaic created by Appappeal. The mosaic features 1001 web 2.0 company logos when hovered upon, pop out at you for a bigger version. These guys have done a good job with the mosaic ...

[Read more..]

ScribeFire Reviewed

Well, this would be my second screencast produced out of Camtasia Studio 5 and I'm learning more and more that screencasts are the not the easiest things to create. I'm also trying to learn the magic recording/producing formula which will net me the best results on sites such as Viddler. It sucks to create something that looks so good on ...

[Read more..]

Subscribe To Posts