lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071214220711.12310.qmail@securityfocus.com>
Date: 14 Dec 2007 22:07:11 -0000
From: th3.r00k.nospam@...k.gmail.com
To: bugtraq@...urityfocus.com
Subject: Wordpress - Broken Access Control

By Michael Brooks

Vulnerability:Broken Access Control

Homepage:http://wordpress.org/download

Software: Wordpress

Version affected:2.3.1 (Latest at the time of writing)



The impact of the flaw is that an attacker can read posts while they are still drafts.  This is an ability that only the administrator should have.  Imagine a stranger being able to read the news before it is published.   Or perhaps a spam-blog harvesting posts before they are published. 



This flaw is because Wordpress is trusting the  $_SERVER['REQUEST_URI'] global variable.  Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws.  Although an attacher shouldn't be able to control all $_SERVER variables,  none of them should be trusted.  



exploit:

htttp://localhost/wordpress/'wp-admin/


This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
htttp://localhost/wordpress/'wp-admin/


Vulnerable function:

line 34,  in ./wp-includes/query.php.

function is_admin () {

	global $wp_query;



	return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

}

The same flaw is duplicted in again on line 645 of the same file.



This url: htttp://localhost/wordpress/'wp-admin/
  will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc.  The attack fails when search engine friendly urls are turned on in wordpress,  however this option is turned off by default.  Turning search engine friendly urls on is a workaround until a patch is created.  



Peace

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ