lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009101ce7ce6$3765bde0$9b7a6fd5@pc>
Date: Tue, 9 Jul 2013 23:51:22 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: CS, XSS and FPD vulnerabilities in WordPress

Hello list!

These are Content Spoofing, Cross-Site Scripting and Full path disclosure
vulnerabilities in WordPress.

At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers
mentioned about multiple fixed holes, but not about all - to make it looks
like there were less fixed holes. So I'm revealing this information for you.

In March I wrote about Content Spoofing and Cross-Site Scripting
vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which
is also bundled with WordPress), and I mentioned that they concerned only
versions before WordPress 3.3.2 and were fixed in version 3.3.2 together
with 2012's XSS hole. But I checked these holes in older versions of WP and
in version 3.5.1.

And as I found two weeks ago, these CS and XSS vulnerabilities were fixed
exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable,
and in version 3.5.1 the developers included updated version of SWFUpload,
without mentioning about these fixes (they like to do such things), only
mentioned about the fixes in SWFUpload in version WP 3.5.2.

There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned
in announcement and codex. Like below mentioned Full path disclosure
vulnerability (which I disclosed last week), even they have mentioned about
FPD during upload.

-------------------------
Affected products:
-------------------------

For CS and XSS vulnerable are versions WordPress 2.7 - 3.5.

For FPD vulnerable are versions WordPress 3.4 - 3.5.1.

----------
Details:
----------

Content Spoofing (WASC-12):

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E

It's possible to inject text, images and html (e.g. for link injection).

Cross-Site Scripting (WASC-08):

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Code will execute after click. It's strictly social XSS.

Full path disclosure (WASC-13):

http://site/wp-admin/users.php?s=http://

There is FPD when search string starts from http:// or https://.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ