Package:- wordpress 2.2.2.zip
file:/wp-admin/admin- functions.php
function validate_file( $file, $allowed_files = '' ) {
if ( false !== strpos( $file, './' ))
return 1;
if (':' == substr( $file, 1, 1 ))
return 2;
if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
return 3;
return 0;
}
it fails to check for the other slash() as well as for the null byte(%00) and hence the 'windows version' seems vulnerable to local file inclusion.
eg. import=............boot.ini%00
vulnerable file:-/wp-admin/admin.php
$importer = $_GET['import'];
if ( ! current_user_can('import') )
wp_die(__('You are not allowed to import.'));
if ( validate_file($importer) ) {
wp_die(__('Invalid importer.'));
}
if (! file_exists(ABSPATH . "wp-admin/import/$importer.php"))
wp_die(__('Cannot load importer.'));
PS: You need admin privileges to carry out this attack and with admin privileges you can anyways install backdoor, hence this is not a vulnerability but just a demonstration of insecure coding.