Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Details
- ================
- Software: JM Twitter Cards
- Version: 6.0
- Homepage: https://wordpress.org/plugins/jm-twitter-cards
- Advisory report: https://security.dxw.com/advisories/full-path-disclosure-vulnerability-in-jm-twitter-cards-reveals-the-location-of-the-wordpress-installation-on-the-server/
- CVE: Awaiting assignment
- CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
- Description
- ================
- Full Path Disclosure vulnerability in JM Twitter Cards reveals the location of the WordPress installation on the server
- Vulnerability
- ================
- This plugin contains a Full Path Disclosure vulnerability (CWE-200). This allows an attacker to discover the full path to the WordPress installation on the server, which they could use to assist in other attacks.
- For this to happen, the site would have to have the ‘display_errors’ option set to true.
- Proof of concept
- ================
- Turn on display_errors
- Request http://mydomain.com/wp-content/plugins/jm-twitter-cards/views/settings.php from a browser.
- The following error message will be displayed:
- Fatal error: Call to undefined function esc_html_e() in /path/to/installation/wp-content/plugins/jm-twitter-cards/views/settings.php on line 3
- Mitigations
- ================
- Upgrade to version 6.2 or later.
- If this is not possible, ensure that display_errors is turned off on a site running this plugin.
- Disclosure policy
- ================
- dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
- Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
- This vulnerability will be published if we do not receive a response to this report with 14 days.
- Timeline
- ================
- 2015-07-29: Discovered
- 2015-07-30: Reported to vendor via contact form on http://www.tweetpress.fr/contact
- 2015-09-17: Vendor reported fixed
- 2015-10-12: Published
- Discovered by dxw:
- ================
- Duncan Stuart
- Please visit security.dxw.com for more information.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement