[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFWG0-i=EQO1LORF_TvESgaZuAj7NOtXonLJ0udRjhOhK-dSmw@mail.gmail.com>
Date: Sat, 7 Mar 2015 21:22:53 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of
File Security Vulnerabilities
*WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security
Vulnerabilities*
Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src
Parameter Unrestricted Upload of File Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
[CWE-434]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]
*Advisory Details:*
*(1) Vendor & Product Description:*
*Vendor:*
WooThemes
*Product & Version:*
WordPress Daily Edition Theme
v1.6.2
*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/
*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"
"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."
"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"
*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a security bug problem.
It can be exploited by "Unrestricted Upload of File" (Arbitrary File
Uploading) attacks. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote or local
host . This may allow disclosing file contents or executing files like PHP
scripts. Such attacks are limited due to the script only calling files
already on the target host.
*(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters.
*References:*
http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/4
http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html
--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists