Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Small thumb dsopas a5c6a1f95218604571004157a60c7e0942b0183e7a42b5b9b5722e0d1d5eea96

Full Path Disclosure on Nexmo #CC91_15

Validby dsopas Sensitive Data Exposure

Description

Path disclosure security issues enable a malicious user to see the path of the webroot/file: eg: /home/www/etc/public_html.
Combined with other vulnerabilities - like SQL Injection or File Inclusion - a malicious user could use the full path to get the file he wishes to attack.

The problem is located under Wordpress plugin Wordpress Popular Posts on file wordpress-popular-posts.php

URL
https://www.nexmo.com/nx-wp/wp-admin/admin-ajax.php?action=update_views_ajax&token=5973dbb773&id=128
POC

Just request the url:
https://www.nexmo.com/nx-wp/wp-admin/admin-ajax.php?action=update_views_ajax&token=5973dbb773&id=128

The invalid token will return an error with the full path disclosure:

Notice: Undefined index: token in /home/www/www/nx-wp/wp-content/plugins/wordpress-popular-posts/wordpress-popular-posts.php on line 1248
WPP: Oops, invalid request!

Criticality

In my opinion it's a low vulnerability because it needs another vulnerability to achieve higher goals.

Suggested fix

Just create a filter on the PHP file to not show the PHP Notice or insert it on php.ini. Error, warnings and notices from the server could always be used to find something. Hope it helps.

Prerequisites

None

Tools used

Brain and Google Inspector

HTTP Request
-
Gravatar

Lovely people pushed

define('WP_DEBUG', true);

to live. Won't add anything but thanks for spotting this! :)

nexmo-ops changed state to Valid and granted $50 bounty


dsopas gave feedback

No worries. Thanks!


dsopas requested disclosure

nexmo-ops accepted disclosure