[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00d101cc8cf7$b61a00f0$9b7a6fd5@ml>
Date: Mon, 17 Oct 2011 21:06:17 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Code Execution and FPD vulnerabilities in
Simple:Press Forum for WordPress
Hello list!
I want to warn you about multiple security vulnerabilities in plugin
Simple:Press Forum for WordPress.
These are Code Execution and Full path disclosure vulnerabilities.
-------------------------
Affected products:
-------------------------
To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In
version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely
removed (developers decided not to fix it by themselves or wait for a fix
from developer of TinyBrowser, but just removed it). Already after removing
of TinyBrowser from SPF there were found new methods of code execution in
this application, so users of old versions of SPF became even more
vulnerable (as at web servers Apache, as at IIS).
To FPD vulnerable are Simple:Press 4.4.5 and previous versions.
----------
Details:
----------
Code Execution (WASC-31):
Execution of arbitrary code is possible via TinyBrowser. As I already told
concerning TinyBrowser for TinyMCE
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-July/081939.html),
the program is vulnerable to three methods of code execution.
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php
Full path disclosure (WASC-13):
http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php
Four last FPD vulnerabilities have place in TinyMCE, which is shipped with
SPF.
There were many FPD in old versions of SPF, part of them were fixed already
in the last version 4.4.5. Particularly in old versions (such as 4.1.1)
there are FPD in folder admin:
http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php
http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php
And in some other files in subfolders of the folders admin, editors and
others. In the last version the only five above-mentioned FPD have left.
------------
Timeline:
------------
2011.02.11 - announced at my site about TinyBrowser.
2011.02.14 - informed developer of TinyBrowser.
2011.02.17 - developer of TinyBrowser answered, that he has just fixed them
in the next version 1.43.
2011.04.07 - announced at my site about Simple:Press Forum.
2011.04.08 - informed developers of Simple:Press Forum.
2011.07.14 - disclosed at my site about TinyBrowser.
2011.10.15 - disclosed at my site about Simple:Press Forum.
I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5062/
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists