lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 7 Mar 2015 21:22:53 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of
 File Security Vulnerabilities

*WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src
Parameter Unrestricted Upload of File Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
[CWE-434]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
WooThemes



*Product & Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
    A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
    A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
    A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
    A javascript home page video player with thumbnail hover effect.
    16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a security bug problem.
It can be exploited by "Unrestricted Upload of File" (Arbitrary File
Uploading) attacks. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote or local
host . This may allow disclosing file contents or executing files like PHP
scripts. Such attacks are limited due to the script only calling files
already on the target host.


*(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters.








*References:*
http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/4
http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ