| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jul 2013 23:51:22 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: CS, XSS and FPD vulnerabilities in WordPress Hello list! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So I'm revealing this information for you. In March I wrote about Content Spoofing and Cross-Site Scripting vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which is also bundled with WordPress), and I mentioned that they concerned only versions before WordPress 3.3.2 and were fixed in version 3.3.2 together with 2012's XSS hole. But I checked these holes in older versions of WP and in version 3.5.1. And as I found two weeks ago, these CS and XSS vulnerabilities were fixed exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable, and in version 3.5.1 the developers included updated version of SWFUpload, without mentioning about these fixes (they like to do such things), only mentioned about the fixes in SWFUpload in version WP 3.5.2. There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned in announcement and codex. Like below mentioned Full path disclosure vulnerability (which I disclosed last week), even they have mentioned about FPD during upload. ------------------------- Affected products: ------------------------- For CS and XSS vulnerable are versions WordPress 2.7 - 3.5. For FPD vulnerable are versions WordPress 3.4 - 3.5.1. ---------- Details: ---------- Content Spoofing (WASC-12): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E It's possible to inject text, images and html (e.g. for link injection). Cross-Site Scripting (WASC-08): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Code will execute after click. It's strictly social XSS. Full path disclosure (WASC-13): http://site/wp-admin/users.php?s=http:// There is FPD when search string starts from http:// or https://. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists