| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Oct 2011 21:06:17 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress Hello list! I want to warn you about multiple security vulnerabilities in plugin Simple:Press Forum for WordPress. These are Code Execution and Full path disclosure vulnerabilities. ------------------------- Affected products: ------------------------- To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely removed (developers decided not to fix it by themselves or wait for a fix from developer of TinyBrowser, but just removed it). Already after removing of TinyBrowser from SPF there were found new methods of code execution in this application, so users of old versions of SPF became even more vulnerable (as at web servers Apache, as at IIS). To FPD vulnerable are Simple:Press 4.4.5 and previous versions. ---------- Details: ---------- Code Execution (WASC-31): Execution of arbitrary code is possible via TinyBrowser. As I already told concerning TinyBrowser for TinyMCE (http://lists.grok.org.uk/pipermail/full-disclosure/2011-July/081939.html), the program is vulnerable to three methods of code execution. http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php Full path disclosure (WASC-13): http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php Four last FPD vulnerabilities have place in TinyMCE, which is shipped with SPF. There were many FPD in old versions of SPF, part of them were fixed already in the last version 4.4.5. Particularly in old versions (such as 4.1.1) there are FPD in folder admin: http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php And in some other files in subfolders of the folders admin, editors and others. In the last version the only five above-mentioned FPD have left. ------------ Timeline: ------------ 2011.02.11 - announced at my site about TinyBrowser. 2011.02.14 - informed developer of TinyBrowser. 2011.02.17 - developer of TinyBrowser answered, that he has just fixed them in the next version 1.43. 2011.04.07 - announced at my site about Simple:Press Forum. 2011.04.08 - informed developers of Simple:Press Forum. 2011.07.14 - disclosed at my site about TinyBrowser. 2011.10.15 - disclosed at my site about Simple:Press Forum. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5062/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists