| Secunia Advisory:
|
SA29949
|
|
|
Release Date:
|
2008-04-25
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Workaround
|
|
| Software: | WordPress 2.x |
Description:
Sandor Attila Gerendi has discovered a
vulnerability in WordPress, which can potentially be exploited by
malicious users to compromise a vulnerable system.
Input passed via the "cat" parameter to index.php is not properly
sanitised in the "get_category_template()" function in
wp-includes/theme.php before being used to include files in
template-loader.php. This can be exploited to include arbitrary PHP
files from local resources via directory traversal attacks.
Successful exploitation allows execution of arbitrary PHP code, but
requires privileges to store PHP files on an affected system and that
WordPress is installed on a Windows platform.
The vulnerability is confirmed in version 2.3.3.
Solution:
Fixed in the SVN repository.
http://trac.wordpress.org/changeset/7586
Provided and/or discovered by:
Sandor Attila Gerendi
|
