Advanced Dewplayer 1.2 Directory Traversal

2014.01.05
Credit: Henri Salo
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

While verifying (lunch break) dewplayer issues announced here http://seclists.org/fulldisclosure/2013/Dec/209 I noticed that there is same component also used with other plugins. Please notify me in case this list does not care about WordPress plugin security overall as it can make our list less readable. Only listing active (non-disabled) plugins. Q: Does content spoofing issues normally get CVE as the risk is probably minimal? Assigning one CVE for vulnerability in different software components e.g. libraries used in WordPress plugins makes it very difficult to coordinate updates with end-users. Examples: http://osvdb.org/83413 http://osvdb.org/90374 I hope to get new CVEs for these issues below. #1 Plugin: flash-player-widget Version tested: 1.3 Type: CAPEC-148: Content Spoofing PoC: http://example.com/wp-content/plugins/flash-player-widget/dewplayer.swf?mp3=http://example.mp3 SHA1: 97a4b45212be83bf8dc5dd7a289a3decac7889ab Notes: - No XSS vector by using ?xml=xss.xml - No full path disclosure #2 Plugin: advanced-dewplayer Version tested: 1.2 Type: CAPEC-148: Content Spoofing PoC: http://example.com/wp-content/plugins/advanced-dewplayer/dewplayer.swf?mp3=http://example.mp3 SHA1: 2947cc06ab1bd6e8af2229511e6797f9709ca615 (same as dewplayer-flash-mp3-player in the announcement) Notes: - No XSS vector by using ?xml=xss.xml - No full path disclosure Also at the process I noticed that there is additional security vulnerability. Details below. #3 Plugin: advanced-dewplayer Version tested: 1.2 Type: Information Disclosure / CAPEC-118: Data Leakage Attacks PoC: http://example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php Impact: File wp-config.php contains database passwords, authentication keys/salts etc. Does not need authentication. General note: No time to make proper analysis so there is probably more issues :)

References:

http://seclists.org/oss-sec/2013/q4/570
http://osvdb.org/83413
http://osvdb.org/90374
http://seclists.org/fulldisclosure/2013/Dec/209


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top