Tuesday, July 23, 2013

List of vulnerability in wordpress 3.5.1.



Recently true-caller and Tango messenger is hacked by Syrian-Electronic-Army.
And large amount of Database has been stolen. Now what is common in these sites?
They have word-press 3.5.1 which is vulnerable to some attack.


A weakness and multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain system information and bypass certain security restrictions and by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, and cause a DoS (Denial of Service).

1) An error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie.

Successful exploitation of this vulnerability requires knowledge of the URL for a password-protected post.

This vulnerability is confirmed in version 3.5.1. Prior versions may also be affected.



Here is full details & exploitation is available ;visit this link.

2) An unspecified error within the HTTP API related to server-side requests can be exploited to gain access to the site.

Here is full details.
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

3) An unspecified error can be exploited to bypass certain restrictions when publishing posts.

Successful exploitation requires the "Contributor" role.

4) An unspecified error can be exploited to reassign the post authorship.

5) Certain input related to SWFUpload is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


6) Certain input related to Flash applet within TinyMCE Media Plugin is not properly verified before being used. This can be exploited to e.g. spoof unspecified content.

7) Certain input related to media uploading is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

8) An error when handling failed uploads can be exploited to disclose the full installation path.

No comments:

Post a Comment