lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00d101cc8cf7$b61a00f0$9b7a6fd5@ml>
Date: Mon, 17 Oct 2011 21:06:17 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Code Execution and FPD vulnerabilities in
	Simple:Press Forum for WordPress

Hello list!

I want to warn you about multiple security vulnerabilities in plugin
Simple:Press Forum for WordPress.

These are Code Execution and Full path disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In
version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely
removed (developers decided not to fix it by themselves or wait for a fix
from developer of TinyBrowser, but just removed it). Already after removing
of TinyBrowser from SPF there were found new methods of code execution in
this application, so users of old versions of SPF became even more
vulnerable (as at web servers Apache, as at IIS).

To FPD vulnerable are Simple:Press 4.4.5 and previous versions.

----------
Details:
----------

Code Execution (WASC-31):

Execution of arbitrary code is possible via TinyBrowser. As I already told
concerning TinyBrowser for TinyMCE
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-July/081939.html),
the program is vulnerable to three methods of code execution.

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php

Full path disclosure (WASC-13):

http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php

Four last FPD vulnerabilities have place in TinyMCE, which is shipped with
SPF.

There were many FPD in old versions of SPF, part of them were fixed already
in the last version 4.4.5. Particularly in old versions (such as 4.1.1)
there are FPD in folder admin:

http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php

http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php

And in some other files in subfolders of the folders admin, editors and
others. In the last version the only five above-mentioned FPD have left.

------------
Timeline:
------------

2011.02.11 - announced at my site about TinyBrowser.
2011.02.14 - informed developer of TinyBrowser.
2011.02.17 - developer of TinyBrowser answered, that he has just fixed them
in the next version 1.43.
2011.04.07 - announced at my site about Simple:Press Forum.
2011.04.08 - informed developers of Simple:Press Forum.
2011.07.14 - disclosed at my site about TinyBrowser.
2011.10.15 - disclosed at my site about Simple:Press Forum.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5062/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ