Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress

2011-10-24T00:00:00
ID SECURITYVULNS:DOC:27212
Type securityvulns
Reporter Securityvulns
Modified 2011-10-24T00:00:00

Description

Hello 3APA3A!

I want to warn you about multiple security vulnerabilities in plugin Simple:Press Forum for WordPress.

These are Code Execution and Full path disclosure vulnerabilities.

Code Execution (WASC-31):

Execution of arbitrary code is possible via TinyBrowser. As I already told concerning TinyBrowser for TinyMCE (http://securityvulns.ru/docs26660.html), the program is vulnerable to three methods of code execution.

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php

Full path disclosure (WASC-13):

http://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php

http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php

Four last FPD vulnerabilities have place in TinyMCE, which is shipped with SPF.

There were many FPD in old versions of SPF, part of them were fixed already in the last version 4.4.5. Particularly in old versions (such as 4.1.1) there are FPD in folder admin:

http://site/wp-content/plugins/simple-forum/admin/sfa-framework.php

http://site/wp-content/plugins/simple-forum/admin/sfa-menu.php

And in some other files in subfolders of the folders admin, editors and others. In the last version the only five above-mentioned FPD have left.

To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely removed (developers decided not to fix it by themselves or wait for a fix from developer of TinyBrowser, but just removed it). Already after removing of TinyBrowser from SPF there were found new methods of code execution in this application, so users of old versions of SPF became even more vulnerable (as at web servers Apache, as at IIS).

To FPD vulnerable are Simple:Press 4.4.5 and previous versions.

I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5062/

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua