lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041216062119.9218.qmail@www.securityfocus.com>
Date: 16 Dec 2004 06:21:19 -0000
From: Thomas Waldegger <bugtraq@...ph3us.org>
To: bugtraq@...urityfocus.com
Subject: Multiple XSS Vulnerabilities in Wordpress 1.2.1




Vendor : Wordpress
URL    : http://wordpress.org/
Version: Wordpress 1.2.1
Risk:  : XSS

* Description
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]

Visit http://wordpress.org/ for detailed informations.

* Summary
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
[1] and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.

So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.

* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
in wp-login.php.

> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
>    update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']) );

With an URI like

/wp-login.php?=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;/script&gt;

an attacker was able to store arbitrary values in 
the global siteurl setting. 

Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it. 

Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]

XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit

* Solution
Upgrade to Worpress 1.2.2 [2]

* Credits
Thomas Waldegger

[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ