rene.schmidt

Category: Misc

  • WP Plugin Security: Multiple Leaks in WP-PhotoContest

    What IS WP PhotoContest? The readme states: This plugin permits you to create a ‘voting for photos-contest’ from the WordPress admin panel Subscribed users can uploads photos and everyone else can vote for the uploaded photos (sic). The author could rephrase that as follows: This plugin permits everyone to inject SQL commands into the database…

  • WP Plugin Security: When the genius is out for lunch

    I am in the mood for some more ranting… Why am I doing this? The low security level in the WordPress community aggravates me. And I care about the security of WordPress users out there. So here goes the next issue. It’s a rather insignificant XSS security vulnerability but since the WP theme’s author runs…

  • WP Plugin Security: WP Shopping Cart/WP eCommerce Security Holes

    Another week, another security hole. This time I have found several holes in ajax-and-init.php from WP-eCommerce v3.7.4 aka WP Shopping Cart. It is the latest stable version. Let’s go. The first issue is an unrestricted file deletion security breach. Remote attackers can trick a logged in WP user to click prepared links that can make…

  • WP Plugin Security: WP-Ajax-Edit-Comments

    Security hole in Wordpress plugin WP Ajax Edit Comments up to v2.4.0.1 — upgrade now

  • File Disclosure

    Wenn man eine Sicherheitslücke dieses Kalibers entdeckt, staunt man Bauklötze… Auf dem Webserver eines Kunden habe ich folgendes Szenario vorgefunden: Dort waren zwei virtuelle Hosts eingerichtet, beispielsweise /var/www/www1.example.com/ /var/www/www2.example.com/ Anfragen an www1.example.com und www2.example.com wurden an die entsprechenden vHosts weitergeleitet. In den o.g. Verzeichnissen lagen dann das wwwroot, Datenbank-Backups, SSH-Schlüssel etc. herum. Vielleicht ist das…