WordPress WooCommerce Reflected XSS

19 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WooCommerce - excelling eCommerce
Version: 2.1.12
Homepage: http://wordpress.org/plugins/woocommerce/
Advisory report: 
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
 
Description
================
Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do
 
Vulnerability
================
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) 
can execute arbitrary JavaScript within...

Leggi il seguito »

WordPress WP-Ban 1.62 Bypass

18 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
 
Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations
 
Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be bypassed...

Leggi il seguito »

DVWA Cross Site Request Forgery

16 settembre 2014 - Fonte: http://www.mondounix.com
<!-- There are multiple CSRF issues in DVWA. Attackers can use these CSRF exploits to
  first reset the DVWA database of victim, then make the victim log in using the default resets,
  next crafts another CSRF to change the challenge level to low to make exploitation more probable,
  then use these to craft a command execution CSRF and possibly get a shell. :) 
 
  *This PoC will open calculator as a demo execution in approximately 5 seconds.*
 
  The attacker just needs to know you have DVWA for this to work.
 
  Paulos Yibelo and Tabor N. Shiferaw  2014
 
  -->
 
  <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js' type='text/javascript'>
  </script>
  <div...

Leggi il seguito »

WordPress Slideshow Gallery 1.4.6 Shell Upload

16 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - info@homelab.it - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user management...

Leggi il seguito »

WordPress Photo Album Plus 5.4.4 Cross Site Scripting

15 settembre 2014 - Fonte: http://www.mondounix.com
WP Photo Album Plus Security Vulnerabilities
 
Author: Milhouse 
Download: https://wordpress.org/plugins/wp-photo-album-plus/
Home Page: http://wppa.opajaap.nl/
Google dork: inurl:wp-content/plugins/wp-photo-album-plus
 
Set up:
Wordpress Version: 3.9.1, 3.9.2
WP Photo Album Plus version: 5.4.4, 5.4.3
Client browsers: FireFox 31, Internet Explorer 8-11
 
Issue number 1: A Cross-Site Scripting (reflective) vulnerability.
Details:
The plugin echoes the value of  the http header “User-Agent” back to the client browser. Allowing un-sanitized java script to be inserted. 
 
Severity: Low
 
Proof of Concept (POC):
Request:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent:...

Leggi il seguito »

Joomla Spider Form Maker 4.3 SQL Injection

15 settembre 2014 - Fonte: http://www.mondounix.com
######################
 
# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://web-dorado.com/products/joomla-form.html
 
# Dork Google: inurl:com_formmaker
 
 
# Date : 2014-09-07
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
######################
 
# PoC Exploit:
 
http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]
 
 
"id" variable is not sanitized.
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2014-09-07:  Discovered vulnerability
2014-09-09:...

Leggi il seguito »

File .htaccess per wordpress

11 settembre 2014 - Fonte: http://www.consigliando.it

File .htaccess per wordpress

File .htaccess per wordpress

Il file .htaccess è un semplice file di testo non molto conosciuto, se non dai più esperti nel campo della programmazione web e progettazione di piattaforme. Racchiude diverse funzioni ma la più importante è quella di regolare le direttive con il web server Apache. In sostanza è in grado di mettere in comunicazione il server che contiene il database e la piattaforma, in modo da poter caricare i contenuti richiesti.

Infatti...

Leggi il seguito »

WordPress Plugin Vulnerability Dump – Part 2

10 settembre 2014 - Fonte: http://www.mondounix.com
More vulnerabilities in poorly coded plugins for y'all.
 
Ninja Forms v2.77 - Authorization bypass (regular users can delete forms, etc)
Contact Form v3.83 - Email header injection
WP to Twitter v2.9.3 - Authorization bypass (regular users can tweet to the admin's twitter account)
Xhanch - My Twitter v2.7.7 - CSRF (create and delete tweets)
TinyMCE Advanced v4.1 - (insignificant) CSRF
W3 Total Cache v0.9.4 - (minor) CSRF
WordPress Download Manager v2.6.92 - Authorization bypass (regular users can upload/delete arbitrary files, yes, even 
php files)
Wordfence Security v5.2.2 - Stored XSS
 
Details and POCs located: https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
 
More to follow.
 
-Voxel...

Leggi il seguito »

WordPress Spider Facebook 1.0.8 SQL Injection

9 settembre 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress Spider Facebook 1.0.8 Authenticated SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://downloads.wordpress.org/plugin/spider-facebook.1.0.8.zip
 
# Date : 2014-08-25
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0
 
######################
 
# Location :  
http://localhost/wp-content/plugins/plugins/spider-facebook/facebook.php
 
######################
 
# Vulnerable code :
 
function Spider_Facebook_manage()
{
        require_once("facebook_manager.php");
        require_once("facbook_manager.html.php");
...

Leggi il seguito »