FPD Bug & Defacement Made By Iran Cyber Security Group

The Iran Cyber Security Group continue to show their expertise by discovering a full path disclosure vulnerability in a WordPress theme and then exploiting it by defacing websites including a USA Government website in Princeton, Texas.

The vulnerability was found in: WordPress Twentyfourteen Theme (Default Theme) Full Path Disclosure

The vulnerable file is: http://localhost/wp-content/themes/twentyfourteen/index.php
Full details of the vulnerability is here
Also see previous discovered vulnerabilities here

Full Path Disclosure -FPD- allows attackers to see the full operating path of a vulnerable script e.g.: /home/omg/htdocs/file/ The FPD bug is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn’t expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.

The discovery of the full-path disclosure vulnerability was made by C10N3R Se7eN. His details are:
Telegram: @Zehniat | Mail: [email protected] | Fb.com/C10N3R.Se7eN

One of the demonstration sites to prove the vulnerability exists is at http://www.princetontx.gov/wp-content/themes/twentyfourteen/index.php and the related defacement of the Princeton, Texas Government website -http://www.princetontx.gov/icg.php- can be seen here: http://zone-h.org/mirror/id/27235711

The defacement shows that it was also made by C10N3R Se7eN

Iran Cyber Security Group contact: [email protected]
The Iran Cyber Security Group website is: www.iran-cyber.net

Leave a Reply

Your email address will not be published. Required fields are marked *