Re: [FD] Java 8u40 released: why?

[Nick FitzGerald]

James Hodgkinson wrote:

> Maybe the major change is that they're including the Ask toolbar in
> all releases now, not just the windows one? :)

Indeed!

> The unwelcome Ask extension shows up as part of the installer if a Mac
> user downloads Java 8 Update 40 for the Mac. In my tests on a Mac
> running that latest release of OS X, the installer added an app to the
> current browser, Chrome version 41...

So you did not notice the explanation that this would happen, right 
there on the "continue the install" permission dialog?

The one we can see a screenshot of at, say:

   https://grahamcluley.com/2015/03/oracle-java-mac/

Your description rather strongly implies that you have no choice in 
getting the Ask toolbar, which is untrue.

I understand that Mac users will likely not be _accustomed_ to such 
permissions for _additional_ software, over and above the actual 
software that they thought they were installing, being requested, BUT 
unlike your description above and Ed Bott's at ZDNet (referenced in 
another post in this thread), the user is actually given the choice to 
not install the extra offer.

Of course, questions as to the desirability of the option being 
pre-selected, and the possibly less than fully transparent directions 
about the necessity of the offer are much the same with the Mac version 
and the Windows version, whose permission dialog you can see here:

   http://i.imgur.com/82Tp2pp.png?1




Regards,

Nick FitzGerald



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Partial pointer leaks

[Christophe Hauser]

On Thu, Mar 05, 2015 at 10:42:15AM -0800, Robert Święcki wrote:
> I'm not sure if that's what you look for, but certain perf operations
> leak one or two addresses from the kernel space in the default Ubuntu
> configuration. It's possible to write a short PoC, but it might take a
> few mins, instead feel free to to compile and use
> https://code.google.com/p/honggfuzz/source/checkout - which serves
> other purpose, but uses perf as well. This behavior could be well by
> design though, I haven't checked yet.
> 
> It will only work under newer Intel CPUs BTW.
> 
> $ ~/src/honggfuzz/honggfuzz -n1 -N1 -d4 -s -Dp -- /bin/true  | cut -f9
> -d" " | grep  | sort | uniq
> 0x8178ad82
> 0x8178ba47
> 
> # Remove the last 4 bits here
> $ sudo grep 8178ad8. /boot/System.map-3.16.0-31-generic
> 8178ad85 t sysret_careful
> 
> $ sudo grep 8178ba47 /boot/System.map-3.16.0-31-generic
> 8178ba47 T native_irq_return_iret
> 
> HTH

Hi Robert,

thank you, this is very interesting and seems to be one potential
occurrence of what I am looking for.

Nice tool by the way !

-- 
Christophe



signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[Alan Coopersmith]

On 03/ 6/15 06:21 PM, paul.sz...@sydney.edu.au wrote:

Alan Coopersmith  wrote (and he should
know!):


Java 8u40 is a feature release that's been planned for almost a year,
not a special out of band bug fix release.
http://openjdk.java.net/projects/jdk8u/releases/8u40.html
https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released


My observation in the past was that Java updates came with the rest
of the "quarterly CPU" cycle. Was that wrong, has something changed?


There are Java updates associated with security fixes on the quarterly
CPU cycle, but those aren't the only Java updates - it is software under
active development after all, and releases new features too, not just
security patches.

http://www.oracle.com/technetwork/java/javase/overview/jdk-version-number-scheme-1918258.html
https://www.java.com/en/download/faq/release_dates.xml
http://openjdk.java.net/projects/jdk8u/

--
-Alan Coopersmith-  alan.coopersm...@oracle.com
 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[paul . szabo]

Alan Coopersmith  wrote (and he should
know!):

> Java 8u40 is a feature release that's been planned for almost a year,
> not a special out of band bug fix release.
> http://openjdk.java.net/projects/jdk8u/releases/8u40.html
> https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released

My observation in the past was that Java updates came with the rest
of the "quarterly CPU" cycle. Was that wrong, has something changed?

Thanks, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[James Hodgkinson]

Maybe the major change is that they’re including the Ask toolbar in all 
releases now, not just the windows one? :)

The unwelcome Ask extension shows up as part of the installer if a Mac user 
downloads Java 8 Update 40 for the Mac. In my tests on a Mac running that 
latest release of OS X, the installer added an app to the current browser, 
Chrome version 41 …
James





On 7 March 2015 at 7:39:32 am, Guy Dawson (g.daw...@crossflight.com) wrote:

My reading of the first WWW page is that only Java SE 7 u75/76 contains  
security fixes and that there are no security fixes in Java SE 8 u40.  

On 4 March 2015 at 01:23,  wrote:  

> I notice that Java (JDK, JRE) update 8u40 has been released.  
> Though  
> http://www.oracle.com/technetwork/java/javase/downloads/index.html  
> says "this release includes important security fixes", the release notes  
> http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html  
> says the "security baseline" is 1.8.0_31 (unchanged).  
> I do not notice any major "useability" issues fixed.  
> So: why this out-of-band release?  
>  
> Thanks, Paul  
>  
> Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/  
> School of Mathematics and Statistics University of Sydney Australia  
>  
> ___  
> Sent through the Full Disclosure mailing list  
> https://nmap.org/mailman/listinfo/fulldisclosure  
> Web Archives & RSS: http://seclists.org/fulldisclosure/  
>  



--  

*Guy Dawson*  
IT Operations Manager  

Crossflight Limited, Calder Way, Colnbrook, SL3 0BQ  
*T* +44 (0) 1753 776104 | *W* crossflight.com  

[Terms and Conditions]  
  

--  
All business is conducted according to Crossflight Limited's Standard  
Trading Conditions,  

copies of which are available on request or via our website at  
www.crossflight.com  

___  
Sent through the Full Disclosure mailing list  
https://nmap.org/mailman/listinfo/fulldisclosure  
Web Archives & RSS: http://seclists.org/fulldisclosure/  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[Alexander Burke]

Java 8u40 includes adware on OS X for the first time ever:

http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/

Sorry for the poor quality of the link; I don't have time to find a better one.

— Alex



El 06/03/2015, a les 21:02, paul.sz...@sydney.edu.au va escriure:
>>> I notice that Java (JDK, JRE) update 8u40 has been released.
>>> Though
>>>  http://www.oracle.com/technetwork/java/javase/downloads/index.html
>>> says "this release includes important security fixes" ...
>> 
>> My reading of the first WWW page is that only Java SE 7 u75/76 contains
>> security fixes and that there are no security fixes in Java SE 8 u40.
> 
> Yes, they changed the wording since I wrote that! Noting that 7u75/76
> are not new now, but were released in January.
> 
> Seems that 8u40 is simply a useability release; previous must have been
> very bad, unusual that Oracle would release out-of-band.
> 
> Thanks, Paul
> 
> Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of SydneyAustralia
> 
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Java 8u40 released: why?

[Alan Coopersmith]

On 03/ 6/15 12:02 PM, paul.sz...@sydney.edu.au wrote:

I notice that Java (JDK, JRE) update 8u40 has been released.
Though
   http://www.oracle.com/technetwork/java/javase/downloads/index.html
says "this release includes important security fixes" ...


My reading of the first WWW page is that only Java SE 7 u75/76 contains
security fixes and that there are no security fixes in Java SE 8 u40.


Yes, they changed the wording since I wrote that! Noting that 7u75/76
are not new now, but were released in January.

Seems that 8u40 is simply a useability release; previous must have been
very bad, unusual that Oracle would release out-of-band.


Java 8u40 is a feature release that's been planned for almost a year, not
a special out of band bug fix release.

http://openjdk.java.net/projects/jdk8u/releases/8u40.html
https://blogs.oracle.com/thejavatutorials/entry/jdk_8u40_released

--
-Alan Coopersmith-  alan.coopersm...@oracle.com
 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Fw: Vulnerabilities in ASUS RT-G32

[MustLive]

Hello list!

There are Cross-Site Scripting and Cross-Site Request Forgery
vulnerabilities in ASUS Wireless Router RT-G32.

-
Affected products:
-

Vulnerable is the next model: ASUS RT-G32 with different versions of
firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and
2.0.3.2.

--
Details:
--

Cross-Site Scripting (WASC-08):

http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27

http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27

These vulnerabilities work as via GET, as via POST (work even without
authorization).

ASUS RT-G32 XSS-1.html



ASUS RT-G32 XSS exploit (C) 2015 MustLive


http://site/start_apply.htm"; method="post">








Cross-Site Request Forgery (WASC-09):

CSRF vulnerability allows to change different settings, including admin's
password. As I showed in this exploit (post-auth).

ASUS RT-G32 CSRF-1.html



ASUS RT-G32 CSRF exploit (C) 2015 MustLive


http://site/start_apply.htm"; method="post">








I found this and other routers since summer to take control over terrorists
in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html)
and in many my interviews
(http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7644/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD) Security Vulnerabilities

[Jing Wang]

*Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD)
Security Vulnerabilities*


Exploit Title: Webshop hun v1.062S /index.php termid parameter Information
Leakage Security Vulnerabilities
Product: Webshop hun
Vendor: Webshop hun
Vulnerable Versions: v1.062S
Tested Version: v1.062S
Advisory Publication: March 07, 2015
Latest Update: March 07, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Webshop hun


*Product & Version:*
Webshop hun
v1.062S


*Vendor URL & Download:*
Webshop hun can be bought from here,
http://www.webshophun.hu/index


*Product Introduction:*
Webshop hun is an online product sell web application system.

"If our webshop you want to distribute your products, but it is too
expensive to find on the internet found solutions, select the Webshop Hun
shop program and get web store for free and total maker banner must display
at the bottom of the page 468x60 size. The download shop program, there is
no product piece limit nor any quantitative restrictions, can be used
immediately after installation video which we provide assistance.

"The Hun Shop store for a free for all. In our experience, the most dynamic
web solutions ranging from our country. If the Webshop Hun own image does
not suit you, you can also customize the look of some of the images and the
corresponding text replacement, or an extra charge we can realize your
ideas. The Webshop Hun pages search engine optimized. They made the Hun
Shop web program to meet efficiency guidelines for the search engines. The
pages are easy to read and contain no unnecessary HTML tags. Any web page
is simply a few clicks away."





*(2) Vulnerability Details:*
Webshop hun web application has a security bug problem. It can be exploited
by Information Leakage attacks. This may allow a remote attacker to
disclose the software's installation path. While such information is
relatively low risk, it is often useful in carrying out additional, more
focused attacks.



*(2.1)* The code flaw occurs at "index.php?" page with "termid" parameter.
Attackers can get information such the server software installation path,
etc.






*References:*
http://tetraph.com/security/information-leakage-vulnerability/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-information-leakage.html
http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/webshop-hun-v1-062s-information-leakage-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/26
http://packetstormsecurity.com/files/130648/Webshop-Hun-1.062S-Cross-Site-Scripting.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities

[Jing Wang]

*NetCat CMS Multiple HTTP Response Splitting (CRLF) Security
Vulnerabilities*


Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF
Injection') [CWE-93]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
NetCat


*Product & Version:*
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL & Download:*
NetCat can be got from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. "NetCat designed to create an absolute
majority of the types of sites: from simple "business card" with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000."





*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker
to insert arbitrary HTTP headers, which are included in a response sent to
the server. If an application does not properly filter such a request, it
could be used to inject additional headers that manipulate cookies,
authentication status, or more.

*(2.1)* The first code flaw occurs at "/post.php" page with "redirect_url"
parameter by adding "%0d%0a%20".

*(2.2)* The second code flaw occurs at "redirect.php?" page with "url"
parameter by adding "%0d%0a%20".








*References:*
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/8
http://packetstormsecurity.com/files/130584/NetCat-CMS-5.01-Open-Redirect.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security Vulnerabilities

[Jing Wang]

*WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src
Parameter Unrestricted Upload of File Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
[CWE-434]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
WooThemes



*Product & Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a security bug problem.
It can be exploited by "Unrestricted Upload of File" (Arbitrary File
Uploading) attacks. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote or local
host . This may allow disclosing file contents or executing files like PHP
scripts. Such attacks are limited due to the script only calling files
already on the target host.


*(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters.








*References:*
http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/4
http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 SQL Injection Security Vulnerabilities

[Jing Wang]

*WordPress Daily Edition Theme v1.6.2 SQL Injection Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /fiche-disque.php id
Parameters SQL Injection Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*



*Vendor:*
WooThemes



*Product & Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL & Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
"Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication"

"The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management."

"Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!"







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a  security bug problem.
It can be exploited by SQL Injection attacks. This may allow a remote
attacker to inject or manipulate SQL queries in the back-end database,
allowing for the manipulation or disclosure of arbitrary data.


*(2.1)* The code flaw occurs at "fiche-disque.php?" page with "&id"
parameter.








*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-sql.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/27
http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/