[wp-hackers] FW: [Full-disclosure] different
Wordpress Vulnerabilities
Jeremy Visser
jeremy.visser at gmail.com
Sun Feb 11 23:25:18 GMT 2007
Ross M. W. Bennetts wrote:
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of beNi
> - Redirection Script in every Wordpress installation out there - XSS
> in every wordpress.com blog (only accessible for the admin, but
> that's probably the main aim of the attacker)
> http://mybeni.rootzilla.de/mybeNi/blog/3/
Excerpt from the blog post:
> Some hours later I stumbled over another interesting flaw, a
> Redirection Script inside Wordpress, just add
> /wp-login.php?action=logout&redirect_to=http://mybeni.tk to the blog
> root and you can send people anywhere you want (I'm sad this doesnt
> work with the "data:text/html" stuff)
If the user was sent to a URL to perform, say, a Delete action on a
post, they'd either have to confirm it with a "Yes / No" or there'd have
to be a 1-in-1000000 chance that the attacker guesses the right nonce.
> - directory traversal in the wp-backup plugin allows you to download
> etc/passwd file (i hope this hasnt been found before, I didnt check
> it) http://mybeni.rootzilla.de/mybeNi/blog/2/
This is old. http://security.nnov.ru/Ndocument899.html
Plus, the plugin is not included in WordPress 2.1 and later.
More information about the wp-hackers
mailing list