WordPress Zingiri Forums arbitrary file disclosure

Advisory

Secunia Advisory SA50833

Analysis of vulnerability

The Zingiri Web Forums for WordPress writes our a header for the forum in forum.php through adding an action to wp_head.

So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I’ve highlighted two areas:

We can affect the value of $zing_forum_to_include through the zforum GET variable. This is then used in a big else if statement. Here is the block of code that is executed if we set that to css:

If we don’t set anything expect the “url” get variable, we can cause it to be fed into the file_get_contents call on line 554. We can abuse this to disclose the contents of the wp-config.php file like this:

 

One comment

Leave a Reply