[wp-hackers] FW: [Full-disclosure] different Wordpress Vulnerabilities

Jeremy Visser jeremy.visser at gmail.com
Sun Feb 11 23:25:18 GMT 2007

Ross M. W. Bennetts wrote:

> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of beNi

> - Redirection Script in every Wordpress installation out there - XSS
> in every wordpress.com blog (only accessible for the admin, but 
> that's probably the main aim of the attacker) 
> http://mybeni.rootzilla.de/mybeNi/blog/3/

Excerpt from the blog post:

> Some hours later I stumbled over another interesting flaw, a
> Redirection Script inside Wordpress, just add
> /wp-login.php?action=logout&redirect_to=http://mybeni.tk to the blog
> root and you can send people anywhere you want (I'm sad this doesnt
> work with the "data:text/html" stuff)

If the user was sent to a URL to perform, say, a Delete action on a
post, they'd either have to confirm it with a "Yes / No" or there'd have
to be a 1-in-1000000 chance that the attacker guesses the right nonce.

> - directory traversal in the wp-backup plugin allows you to download
>  etc/passwd file (i hope this hasnt been found before, I didnt check
> it) http://mybeni.rootzilla.de/mybeNi/blog/2/

This is old. http://security.nnov.ru/Ndocument899.html
Plus, the plugin is not included in WordPress 2.1 and later.

More information about the wp-hackers mailing list