| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Mar 2012 23:30:48 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: XSS and BF vulnerabilities in WordPress Hello list! There are many vulnerabilities in WordPress which still not fixed. So I want to warn you about three holes, two of them already fixed and one exists even in the last version of the engine. These are Cross-Site Scripting and Brute Force vulnerabilities in WordPress. ------------------------- Affected products: ------------------------- To XSS vulnerable are WordPress 2.2.3 and previous versions. To Brute Force vulnerable are WordPress 2.3 - 3.3.1 versions. ---------- Details: ---------- XSS (WASC-08): In 2007 I've wrote about redirectors (http://websecurity.com.ua/1152/) in WordPress (http://websecurity.com.ua/1179/), for which I've released patch in MustLive Security Pack v.1.0.5 (http://websecurity.com.ua/1209/) (and this patch also protects against XSS). At that time researchers which found redirectors didn't checked them for XSS, so I did it by myself. XSS attacks are possible via these redirectors (via data URI): http://site/wp-login.php?redirect_to=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&action=logout http://site/wp-pass.php?_wp_http_referer=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B At IIS web servers the redirect is going via Refresh header, and at other web servers - via Location header. The developers fixed redirectors in WP 2.3 (and did it hiddenly, which was typical for them from 2007). So Redirector and XSS attacks are possible only in previous versions. Brute Force (WASC-11): Besides BF via XML-RPC functionality, the passwords can be picked up also via APP functionality. http://site/wp-app.php Since version WP 2.3 there is support of Atom Publishing Protocol in the engine. There is no protection against BF attacks in this functionality (Basic Authentication is used). APP functionality is turned off by default since WordPress 2.6, like XML-RPC. WP developers turned it off together with XML-RPC, i.e. not motivating it as counteraction to Brute Force, but it worked also as protection against Brute Force attack. So this issue doesn't concern those who uses WordPress since version 2.6 with default settings. But those who needs to use APP, those will have Brute Force vulnerability, because the developers didn't make reliable protection against it. ------------ Timeline: ------------ 2012.03.23 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5734/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists