[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <473A9B0E.90702@subverted.org>
Date: Tue, 13 Nov 2007 23:51:58 -0700
From: dave-san <dave@...verted.org>
To: XSS Worm XSS Security Information Portal
<cross-site-scripting-security@...worm.com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: Wordpress 2.3 Cross Domain Content Insertion-
New vulnerability + exploit - xssworm.com
Comments inline..
XSS Worm XSS Security Information Portal wrote:
> *0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com]
>
> Source:
> http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/
>
> There is a serious holes in wordpress 2.3 that can be used with XSS by a
> blackhat hacker to attack the wordpress administrator and steal cookies from
> blogmins. This attack is known as 0day because it has just been reported to
> public and this is first day of public vulnerability, and *0day means
> 'published.*'
> Proof of concept:
>
> http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss
> shellcode>
>
Hmm.. XSS shellcode? That's a new one for me. I'll take this to mean the
injected script. From your post, I don't think you mean "shellcode" in
the traditional sense.
> This attack to be used against wordpress web blog blogmin to steal
> blogosphere token to hack blogs. Of course we have included exploit code for
> this bug at the below.
>
> We have looked at coding for wp-slimstat but we cannot see any problem with
> input validating. Maybe some of the xssworm.com readers can show us where
> problem is in the php code because we cannot see any porblem here:
>
> –snips:
>
> C:\temp>findstr GET wp-slimstat.php
> $myFilterField = intval( $_GET['ff'] );
> $myFilterType = intval( $_GET['ft'] );
> $myFilterString = $_GET['fi'];
> $myFilterInterval = $_GET['fd'];
> $myFilterField = intval( $_GET['ff'] );
> $myFilterType = intval( $_GET['ft'] );
> $myFilterString = $_GET['fi'];
> $myFilterInterval = $_GET['fd'];
> '.(!empty($myFilterString)?'— <a
> href="?page='.$_GET['page'].'&panel='.$_GET["panel"].'">'.__('Reset
> filters', 'wp-slimstat').'</a>':").'
> <input type="hidden" name="page" value="'.$_GET['page'].'" />
> <input type="hidden" name="panel" value="'.$_GET["panel"].'" />
> <input type="hidden" name="fd" value="'.$_GET["fd"].'" /></form>';
>
It's late, and I might have missed something, but from the above, I
don't see where the vulnerable parameter is being written back to the
HTML response. Therefore, I don't think there is enough code in the
lines above to locate the entire issue (though it looks like other
parameters are vulnerable too). You mentioned:
ft=<xss shellcode>
So, in this example, "ft" is the vulnerable parameter. Trace what
happens in code with that parameter after it receives input. I'd guess
that there is something like..
echo '<maybe some HTML crap here>'. $myFilterType .' more...
or
echo '<ditto>'.$_GET["ft"].'<ditto>..
Perhaps take a look at where they missed the output formatting/encoding
for HTML. I may be so bold as to suggest that the lack of output
encoding is the major reason that XSS exists.
> –snips
>
> With programmor using $_GET variable from user into echo into html output
> maybe php automatic GET validation filtering is not working for security? We
> are not programmers of php so we cannot see any porblems here as bug are too
> complex to understand.
> Many thanks for your comments on this vulnerability in wordpress 2.4
..edit
>
> Thanks vaj
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists