| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Dec 2013 16:26:12 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: CSRF, DoS and IL vulnerabilities in WordPress Hello list! As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the second part of these holes. These are Cross-Site Request Forgery, Denial of Service and Information Leakage vulnerabilities in WordPress. ------------------------- Affected products: ------------------------- For CSRF and DoS vulnerable are WordPress 2.0.11 and previous versions (which had this functionality). Instead of fixing the holes, developers removed this functionality. For Information Leakage vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible"). ---------- Details: ---------- Cross-Site Request Forgery (WASC-09) / Denial of Service (WASC-10): There is no protection against CSRF in retrospam functionality. http://site/wp-admin/options-discussion.php?action=retrospam The request starts checking of the comments on stop-words, which overloads the server. The more words in the list (and it's possible to add any amount of them via XSS vulnerability) and the more comments at the site, the more overload. Cross-Site Request Forgery (WASC-09): http://site/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1 This request moves comments, including moderated ones, to moderation list. It's just needed to set ids of comments. Information Leakage (WASC-13): At request to the page options.php it's possible to receive important data from DB. As at access to admin panel, as it's possible to get content of the page via XSS attack. Particularly different keys, salts, logins and passwords, such as auth_key, auth_salt, logged_in_key, logged_in_salt, nonce_key, nonce_salt, mailserver_login, mailserver_pass (the amount of parameters depends on version of WP). http://site/wp-admin/options.php About leakage of login and password from e-mail account (which are saved in DB in plain text) at other page of admin panel I wrote in previous advisory (http://seclists.org/fulldisclosure/2013/Dec/135). This is the second page, where there is a leakage of this data. It allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). ------------ Timeline: ------------ 2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists