lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Jun 2013 19:34:46 +0200
From: Ryan Dewhurst <ryandewhurst@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
 1337 Exploit DataBase <mr.inj3ct0r@...il.com>,
 submissions@...ketstormsecurity.org
Subject: Re: Denial of Service in WordPress

This just affects the client though right? So doesn't DoS a WordPress blog,
just presents an error message to the user if they click on a crafted link.
How could this be used in the real world to cause any risk?

>From my understanding you'd have to get the user to click on the tinyurl,
which would then show them a browser redirect error? If this is the case,
how does this benefit an attacker?


On Thu, Jun 27, 2013 at 7:28 PM, MustLive <mustlive@...security.com.ua>wrote:

> Hello list!
>
> These are Denial of Service vulnerabilities WordPress. Which I've
> disclosed two days ago (http://websecurity.com.ua/**6600/<http://websecurity.com.ua/6600/>
> ).
>
> About XSS vulnerabilities in WordPress, which exist in two redirectors, I
> wrote last year (http://seclists.org/**fulldisclosure/2012/Mar/343<http://seclists.org/fulldisclosure/2012/Mar/343>).
> About Redirector vulnerabilities in these WP scripts I wrote already in
> 2007 (and made patches for them). The developers fixed redirectors in WP
> 2.3, so Redirector and XSS attacks are possible only in previous versions.
>
> As I've recently checked, this functionality can be used for conducting
> DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors
> (according to Classification of DoS vulnerabilities in web applications (
> http://websecurity.com.ua/**2663/) <http://websecurity.com.ua/2663/)>),
> by combining web site on WordPress with redirecting service or other site.
> This attack is similar to looping two redirectors, described in my articles
> Redirectors' hell and Hellfire for redirectors. The interesting, that
> looped redirector (http://tinyurl.com/hellfire-**url<http://tinyurl.com/hellfire-url>),
> which I've made at 5th of February 2009 for my article Hellfire for
> redirectors, is still working.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and
> previous versions, for harder attack - WP 3.5.2 and previous versions. The
> second variant of attack requires Redirector or XSS vulnerability at the
> same domain, as web site on WP.
>
> ----------
> Details:
> ----------
>
> Denial of Service (WASC-10):
>
> It's needed to create Custom alias at tinyurl.com or other redirector
> service, which will be leading to wp-login.php or wp-pass.php with setting
> alias for redirection.
>
> http://site/wp-login.php?**action=logout&redirect_to=**
> http://tinyurl.com/loopeddos1<http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1>
>
> http://site/wp-pass.php?_wp_**http_referer=http://tinyurl.**com/loopeddos2<http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2>
>
> Here are examples of these vulnerabilities:
>
> http://tinyurl.com/loopeddos1
>
> http://tinyurl.com/loopeddos2
>
> This attack will work for WordPress < 2.3. At that Mozilla, Firefox,
> Chrome and Opera will stop endless redirect after series of requests,
> unlike IE.
>
> To make this attack work in all versions of the engine, including
> WordPress 3.5.2, it's needed that redirector was on the same domain, as web
> site on WP. For this it can be used any vulnerability, e.g. reflected XSS
> or persistent XSS (at the same domain), for including a script for
> redirecting to one of these redirectors:
>
> WordPress_Looped_DoS.html
>
> <script>document.location="htt**p://site/wp-login.php?action=**
> logout&redirect_to=http://**site/WordPress_Looped_DoS.html<http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html>
> **"</script>
>
> WordPress_Looped_DoS-2.html
>
> <script>document.location="htt**p://site/wp-pass.php<http://site/wp-pass.php>
> "</script>
>
> This attack will work as in WordPress 3.5.2 and previous versions, as it
> isn't stopping by the browsers (endless redirect).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ______________________________**_________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ