Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello list!

I want to warn you about multiple security vulnerabilities in plugin
Simple:Press Forum for WordPress.

These are Code Execution and Full path disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In
version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely
removed (developers decided not to fix it by themselves or wait for a fix
from developer of TinyBrowser, but just removed it). Already after removing
of TinyBrowser from SPF there were found new methods of code execution in
this application, so users of old versions of SPF became even more
vulnerable (as at web servers Apache, as at IIS).

To FPD vulnerable are Simple:Press 4.4.5 and previous versions.

----------
Details:
----------

Code Execution (WASC-31):

Execution of arbitrary code is possible via TinyBrowser. As I already told
concerning TinyBrowser for TinyMCE
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-July/081939.html),
the program is vulnerable to three methods of code execution.

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php

Full path disclosure (WASC-13):

http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php

Four last FPD vulnerabilities have place in TinyMCE, which is shipped with
SPF.

There were many FPD in old versions of SPF, part of them were fixed already
in the last version 4.4.5. Particularly in old versions (such as 4.1.1)
there are FPD in folder admin:

http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php

http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php

And in some other files in subfolders of the folders admin, editors and
others. In the last version the only five above-mentioned FPD have left.

------------
Timeline:
------------

2011.02.11 - announced at my site about TinyBrowser.
2011.02.14 - informed developer of TinyBrowser.
2011.02.17 - developer of TinyBrowser answered, that he has just fixed them
in the next version 1.43.
2011.04.07 - announced at my site about Simple:Press Forum.
2011.04.08 - informed developers of Simple:Press Forum.
2011.07.14 - disclosed at my site about TinyBrowser.
2011.10.15 - disclosed at my site about Simple:Press Forum.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5062/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/