[wp-hackers] Wordpress 1.2.2 XSS Vulnerabilities

Allen Parker infowolfe at gmail.com
Fri Feb 4 14:40:08 GMT 2005 

*bump*
this requires immediate attention.
*bump*


On Tue, 25 Jan 2005 09:18:13 -0000 (GMT), Peter Westwood
<peter.westwood at ftwr.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi All,
> 
> I'm searching around trying to find if there was ever a response to the report on bugtraq[1] that wordpress 1.2.2 was
> still vulnerable - mainly relating to whether a fix is/has been written and is likely to be released soon.  Otherwise
> we may find that we are dropped from Gentoo[2].
> 
> This was discussed previously on wp-hackers in December but the thread [3] never really answers my question.
> 
> I've searched through the bug tracker[4] and can't find a relevant bug that has been filed there - do we need one
> filed in order for it to get fixed?
> 
> Reviewing the vulns discussed in [1] against my 1.2.2 install:
> 
> XSS:
>   /wp-login.php?action=login&redirect_to=[XSS]
> This can cause a redirect to an external site after login - Social Engineering could be used to setup an external site
> which mimicked the wordpress login screen and gave you the failed login attempt info and persuaded you to enterer you
> username/password again after the actual redirect
> 
>   /wp-admin/templates.php?file=[XSS]
>   /wp-admin/post.php?content=[XSS]
> Both of these require you to be logged in anyway so are not easily exploitable - Social Engineering is going to be
> required to get far with either of these:
> 
> SQL Errors:
>   /index.php?m=bla
>   /wp-admin/edit.php?m=bla
> The first of these does give a sql error which probably should be hidden - The only effect of the second appears to be
> to put a "0" above the list of posts
> 
> PHP-Warnings:
>   /wp.php?author=bla
>   /wp-commentsrss2.php?p=999999
>   /wp-admin/options.php?option_group_id=1888
>   /wp-admin/post.php?action=edit&post=2890000000000
> All of these do produce PHP Errors.
> 
> If the main devs are busy on working on WP1.5 / Have already fixed this issues in CVS and not had the time to back
> port them to 1.2.2 I am quite willing to spend some time looking into them and trying to produce a patch or v1.2.2 to
> address these issues.
> 
> Cheers
> 
> Peter
> 
> [1] - http://seclists.org/lists/bugtraq/2004/Dec/0297.html
> [2] - http://bugs.gentoo.org/show_bug.cgi?id=74649
> [3] - http://comox.textdrive.com/pipermail/hackers/2004-December/003479.html
> [4] - http://mosquito.wordpress.org/
> - --
> Peter Westwood
> westi on #wordpress
> Blog: http://www.ftwr.co.uk/blog/
> Get Firefox: http://www.spreadfirefox.com/?q=affiliates&id=20287
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFB9g7VVPRdzag0AcURAs6NAKCdvVKPaTSVTvZ/tGnElpFH3t60HgCgyK0e
> iwfHFogeKltX1OVfcN0cOzo=
> =1/dm
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> hackers mailing list
> hackers at wordpress.org
> http://wordpress.org/mailman/listinfo/hackers
> 


-- 
________________________________________
To avoid being added to my spam filter:
1. Utilize list replies unless otherwise requested.
2. If you DO send me a personal email, use english.
3. HTML isn't cute. It belongs on the web, not in my inbox.

More information about the hackers mailing list