lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 12 Jul 2013 19:50:51 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: XSS,
	CS and FPD vulnerabilities in I Love It theme for WordPress

Hello list!

These are Cross-Site Scripting, Content Spoofing and Full path disclosure 
vulnerabilities in I Love It theme for WordPress. This is commercial 
(premium) theme.

-------------------------
Affected products:
-------------------------

All versions of I Love It theme for WordPress. The theme contains vulnerable 
versions of Audio Player and GDD FLVPlayer.

-------------------------
Affected vendors:
-------------------------

CosmoThemes
http://cosmothemes.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/iloveit/lib/php/assets/player.swf?playerID=%22))}catch(e){alert(document.cookie)}//

Content Spoofing (WASC-12):

http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf

There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I 
announced recently (http://websecurity.com.ua/6642/) and informed developers 
of GDD FLVPlayer. These vulnerabilities will be disclosed later.

Full path disclosure (WASC-13):

http://site/wp-content/themes/iloveit/

There are FPD vulnerabilities in index.php and other php-files (in folder 
and subfolders).

------------
Timeline:
------------ 

2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It 
New theme.
2013.07.11 - disclosed at my site (http://websecurity.com.ua/6646/).
2013.07.12 - informed developers about vulnerabilities in their I Love It 
theme.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ