[wp-trac] [WordPress Trac] #20593: wordpress 3.3.2 clickjacking

WordPress Trac wp-trac at lists.automattic.com
Tue May 1 19:38:06 UTC 2012 

#20593: wordpress 3.3.2 clickjacking
--------------------------+----------------------
 Reporter:  abysssec      |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Gallery       |     Version:
 Severity:  critical      |  Resolution:  invalid
 Keywords:                |
--------------------------+----------------------
Changes (by nacin):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Old description:

> Wordpress Admin panel has x-frame-option which prevent clickjacking but
> in main page of blog no x-frame-option has been set, so it possible to
> trick him and make him to post a comment, using Clickjacking. As you may
> know admin can post comment with html and it is obvious by default this
> isn't dangerous, But as blog main page has no x-frame-option it is
> possible to make XSS of it and finally you can mix ClickJacking /XSS /
> HTTPOnly Disclosure to make a working exploit.
>
> here is video of  PoC :
>
> http://www.sendspace.com/file/60wxge
>
> here is PoC :
>
> http://www.sendspace.com/file/o754pt
>
> thanks Abysssec Team

New description:

 Wordpress Admin panel has x-frame-option which prevent clickjacking but in
 main page of blog no x-frame-option has been set, so it possible to trick
 him and make him to post a comment, using Clickjacking. As you may know
 admin can post comment with html and it is obvious by default this isn't
 dangerous, But as blog main page has no x-frame-option it is possible to
 make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly
 Disclosure to make a working exploit.

 thanks Abysssec Team

--

Comment:

 In the future, please follow the instructions on the new ticket page:

 = Do not report potential security vulnerabilities here. Read the
 Security FAQ and email us at  security at wordpress.org. =

 Feel free to email us and we will gladly communicate with you.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20593#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list