[wp-hackers] Wordpress 1.2.2 XSS Vulnerabilities

Peter Westwood peter.westwood at ftwr.co.uk
Tue Jan 25 09:18:13 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I'm searching around trying to find if there was ever a response to the report on bugtraq[1] that wordpress 1.2.2 was
still vulnerable - mainly relating to whether a fix is/has been written and is likely to be released soon.  Otherwise
we may find that we are dropped from Gentoo[2].

This was discussed previously on wp-hackers in December but the thread [3] never really answers my question.

I've searched through the bug tracker[4] and can't find a relevant bug that has been filed there - do we need one
filed in order for it to get fixed?

Reviewing the vulns discussed in [1] against my 1.2.2 install:

XSS:
  /wp-login.php?action=login&redirect_to=[XSS]
This can cause a redirect to an external site after login - Social Engineering could be used to setup an external site
which mimicked the wordpress login screen and gave you the failed login attempt info and persuaded you to enterer you
username/password again after the actual redirect

  /wp-admin/templates.php?file=[XSS]
  /wp-admin/post.php?content=[XSS]
Both of these require you to be logged in anyway so are not easily exploitable - Social Engineering is going to be
required to get far with either of these:

SQL Errors:
  /index.php?m=bla
  /wp-admin/edit.php?m=bla
The first of these does give a sql error which probably should be hidden - The only effect of the second appears to be
to put a "0" above the list of posts

PHP-Warnings:
  /wp.php?author=bla
  /wp-commentsrss2.php?p=999999
  /wp-admin/options.php?option_group_id=1888
  /wp-admin/post.php?action=edit&post=2890000000000
All of these do produce PHP Errors.

If the main devs are busy on working on WP1.5 / Have already fixed this issues in CVS and not had the time to back
port them to 1.2.2 I am quite willing to spend some time looking into them and trying to produce a patch or v1.2.2 to
address these issues.

Cheers

Peter

[1] - http://seclists.org/lists/bugtraq/2004/Dec/0297.html
[2] - http://bugs.gentoo.org/show_bug.cgi?id=74649
[3] - http://comox.textdrive.com/pipermail/hackers/2004-December/003479.html
[4] - http://mosquito.wordpress.org/
- --
Peter Westwood
westi on #wordpress
Blog: http://www.ftwr.co.uk/blog/
Get Firefox: http://www.spreadfirefox.com/?q=affiliates&id=20287

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFB9g7VVPRdzag0AcURAs6NAKCdvVKPaTSVTvZ/tGnElpFH3t60HgCgyK0e
iwfHFogeKltX1OVfcN0cOzo=
=1/dm
-----END PGP SIGNATURE-----

More information about the hackers mailing list