lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48E14A1E.4030307@gmail.com>
Date: Mon, 29 Sep 2008 23:35:26 +0200
From: Juan Galiana <jgaliana@...il.com>
To: bugtraq@...urityfocus.com
Subject: WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 - Security Advisory -

- - WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability -
- -----------------------------------------------------------------------


Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Url: http://mu.wordpress.org
Affected by: Coss Site Scripting Attack


I. Introduction.

Wordpress-MU, or multi-user, allows to run unlimited blogs with a
single install of wordpress. It's widely used, some examples are
WordPress.com or universities like Harvard


II. Description and Impact

Wordpress-MU is affected by a Cross Site Scripting vulnerability, an
attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privileges

In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized  


Here is a poc:

PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS]
PoC:
http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS]


The impact is the attacker can gain administrator privileges on the
application.


III. Timeline

May 14th, 2008       - Bug discovered
May 14th, 2008       - Vendor contacted and the start of a syncronized
code patching
May 16th, 2008       - MU trunk code fixed
July 28th, 2008      - WPMU 2.6 released
September 2nd, 2008  - WPMU 2.6.1 released
September 29th, 2008 - Security advisory released


IV. Solution

Upgrade to version 2.6 or upper of wordpress multi-user. It can be
downloaded from http://mu.wordpress.org


V. Credits

Juan Galiana Lara
<jgaliana gmail com>
http://blogs.ua.es/jgaliana
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI4UoerJ7V/gP9Hy8RArw3AJkB1a1sgO5T9dvO9tbU0/QxE8DxFQCeJCiw
yFDGBIx6Q5oyIKNEq4ZZ4Wc=
=uQu6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ