file deletion
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
For protection it's needed to use appropriate file .htaccess. And placed it
e.g. in folder wp-content, for denial of download of backups from the folder
with backups. Which I'm using from the time when found this vulnerability.
It can be bypassed with help of Arbitrary file deletion vulnerability
(http://websecurity.com.ua/1676/), which I wrote about in December 2007
(CVE-2008-0194). To use it it's needed to conduct CSRF-attack on admin. This
attack will work in WP-DB-Backup <= 2.0.
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=.htaccess
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.
For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.
This advisory is the result of research into the security of Xoops,
based on the report generated by the CodeScan tool.
== Vulnerability Details ==
* File Deletion through unlink *
The unlink function is used by a web page to delete a file on the web server.
The unlink function was found to be used with user input:
unlink($oldsmile_path);
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02941034
Version: 2
HPSBMU02691 SSRT100483 rev.2 - HP Performance Agent and HP Operations Agent, Remote Arbitrary File Deletion
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-07-27
Last Updated: 2011-07-27
Major issues:
- SQL injection
- Cross Site Scripting
Other issues:
- Arbitrary File Deletion
- CRLF injection
----------- Major issues -----------
missing or improper validation of the "OAID" cookie;
- SQL injection in tjs.php because of missing or improper validation
of the "referer" GET parameter;
- XSS vulnerability in sso-accounts.php because of missing or improper
validation of the "email" GET parameter (2.4.x not affected)
- Possible arbitrary file deletion in tjs.php via the "trackerid" GET
parameter
- Possible CRLF injection in various delivery files because of missing
sanitisation of parameters (PHP 4.4.2 or 5.1.2 and follwing versions
are not affected)
- Possible arbitrary file deletion in various delivery scripts
http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22
Original article (in Russian): http://securityvulns.ru/Sdocument714.html
Additional details (in Ukrainian): http://websecurity.com.ua/1658/
2.3 Directory traversal, Arbitrary file deletion, Denial of Service
and Cross-Site Scripting via wp-db-backup.php
Directory Traversal (WordPress <= 2.0.3):
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration
Severity: Low
Vendor:
The Apache Software Foundation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory
Severity: Low
Vendor:
The Apache Software Foundation
======================================================================
Secunia Research 24/03/2010
- Pulse CMS Arbitrary File Deletion Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
ZDI-10-028: Skype URI Processing Arbitrary XML File Deletion Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-028
March 11, 2010
-- Affected Vendors:
Skype
-- Affected Products:
Skype
ZDI-08-046: RealNetworks RealPlayer Library File Deletion Stack Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-046
July 25, 2008
-- CVE ID:
ZDI-CAN-231
-- Affected Vendors:
RealNetworks
TPTI-10-05: Novell iPrint Client Browser Plugin Remote File Deletion Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-05
August 4, 2010
-- CVSS:
7.8, (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-- Affected Vendors:
Novell
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
---------------------------------------
Two vulnerabilities exist in 'Quick Polls' providing local file inclusion & local file deletion due to null-byte attacks against functions in index.php.
II. TESTED VERSION
---------------------------------------
1.0.1
Where 'test' is a page containing the {{files}} action.
+---------------------------------------------------------------------+
| Arbitrary File Download and Arbitrary File Deletion (CVE-2011-4450) |
+---------------------------------------------------------------------+
The vulnerable code is located in /handlers/files.xml/files.xml.php
53. $file = $this->GetSafeVar('file', 'get');
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Open Journal Systems which can be exploited to manipulate local files, upload arbitrary files and perform Cross-Site Scripting (XSS) attacks.
1) Arbitrary File Manipulation in Open Journal Systems: CVE-2012-1467
1.1 Arbitrary File Deletion
Input passed via the "param" parameter to "/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php" is not properly validated before being used in unlink() function. This can be exploited to delete arbitrary files via directory traversal sequences.
The vulnerability exists in "iBrowser" software component that is a built-in part of OJS 2.3.6 by default.
The following PoC (Proof-of-Concept) code is available:
This August I made a summary about all vulnerabilities in plugins for
WordPress (http://websecurity.com.ua/3397/), which I found during 2006-2009.
In this list 135 different vulnerabilities are mentioned in 20 plugins for
WordPress. Including Cross-Site Scripting, Insufficient Anti-automation,
Cross-Site Request Forgery, Directory Traversal, Arbitrary File Deletion,
Denial of Service, Full path disclosure, Insufficient Authorization,
Information Leakage, Abuse of Functionality, HTTP Response Splitting, SQL
Injection and CRLF Injection vulnerabilities.
Most posts mentioned in the list are on Ukrainian (so use Google Translate),
|
