[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008901cb341b$46ef99a0$010000c0@ml>
Date: Thu, 5 Aug 2010 00:22:42 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: CSRF,
Information Leakage and Full path disclosure vulnerabilities in
WordPress
Hello Full-Disclosure!
I want to warn you about new security vulnerabilities in WordPress which I
published at 30.07.2010 during my Day of bugs in WordPress 2 project. This
is second advisory for this project.
------------------------------
Advisory: Day of bugs in WordPress 2: CSRF, Information Leakage and Full
path disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4420/
------------------------------
These are Cross-Site Request Forgery vulnerability which I found at
05.06.2007, Information Leakage which I found at 02.08.2009, and Full path
disclosure which I found at 29.07.2010.
------------------------------
1. Cross-Site Request Forgery.
------------------------------
Taking in account that in plugin WordPress Database Backup there is no
protection against CSRF, then with help of this CSRF vulnerability it's
possible to attack admin. It can be done for forcing of backup, in order to
get the backup of site's DB via earlier mentioned Information Leakage
vulnerability, or for the purpose of creating of large number of backup
files, to occupy free space at the server. Or in order to receive backup on
email. These CSRF-attacks are possible if plugin WP-DB-Backup is activated.
With help of CSRF-attack it's possible to make backup of any tables, as all,
as selectively (e.g. table with users wp_users). In this exploit the backup
is making with table wp_users:
http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20CSRF.html
And also it's possible to simply send backup (for example with table
wp_users) to your email:
http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20CSRF2.html
It's attack which I called Email me backup attack.
As I already note, this leakage of information in backup of DB is the most
dangerous concerning with that there are login and hash of admin in backup.
Which can be used for gaining access to the site. It was very actual before
releasing of WordPress 2.5, in which authorization system was remade, after
Steven Murdoch drew attention of WP developers at Cookie Authentication
vulnerability in WordPress (http://securityvulns.ru/Sdocument460.html). And
from version 2.5 in WP new authorization method via cookies is using, but
even in new versions of engine the leakage of backups is still dangerous and
it's better not to allow it.
Affected products: WordPress 2.0.11 and previous versions, with which plugin
WordPress Database Backup was shipped. Also vulnerable are plugin
WP-DB-Backup 2.0 and previous versions in any versions of WordPress (WP
2.9.2 and previous versions and potentially WP 3.0 and 3.0.1).
------------------------------
Protection against this vulnerability.
------------------------------
As I mentioned, in version 2.1 of the plugin the protection against CSRF was
added, so the last version of plugin WP-DB-Backup 2.2.2 is not vulnerable to
CSRF. So it's necessary to update plugin to the last version.
------------------------------
2. Information Leakage (via Privileges unchecked).
------------------------------
In June 2007 I already found Information Leakage vulnerability in plugin
WordPress Database Backup (it was mentioned in previous advisory). And in
August 2009 I found new vulnerability concerning with this plugin (which is
a consequence of Privileges unchecked vulnerability
(http://securityvulns.ru/Wdocument142.html), which was disclosed in July
2009). This vulnerability allows to find out the path to backup folder, and
also to reveal prefix of tables in DB.
The Privileges unchecked vulnerability in WP was found by CORE in 2009. They
used my research about Local File Inclusion in WP (many of which were
working even with Subscriber account), which I wrote about in December 2007
(CVE-2008-0196) during first Day of bugs in WordPress project. These holes
were fixed in WP 2.3.2, but, as CORE found, LFI attacks on plugins folder
were still possible (due to lack of privilege checks in WP).
This vulnerability can be used in pair with previous Information Leakage
vulnerability for revealing of full path to backups and downloading of
backups of site's DB. If to know folder's name, it's possible to easily
reveal file name (up to 1000 combination, if name of database in MySQL,
prefix and date are known) and to download the backup. Also knowing of
prefix of tables in DB will be of use at SQL Injection attack.
Leakage of information is going at accessing via admin.php to WP-DB-Backup
plugin:
http://site/wp-admin/admin.php?page=wp-db-backup.php
If plugin WordPress Database Backup is activated, then with having account
with minimal rights (Subscriber) it's possible to find out path to backup
and prefix of tables.
Affected products: WordPress 2.8 and previous versions. Vulnerability
concerns only WP and not the plugin (via this vulnerability it's possible to
attack other plugins too). In WordPress 2.8.1 this Privileges unchecked
vulnerability is already fixed, so this attack is not working.
------------------------------
Protection against this vulnerability.
------------------------------
For protection it's possible to update WordPress to not vulnerable version,
or update plugin to the last version. Beginning from version 2.1 of plugin
(including last version WordPress Database Backup 2.2.2) this vulnerability
already doesn't work (even in older vulnerable versions of engine), but Full
path disclosure hole has appeared.
------------------------------
3. Full path disclosure.
------------------------------
There are two Full path disclosure vulnerabilities in WP-DB-Backup:
http://site/wp-admin/admin.php?page=wp-db-backup.php
Vulnerability works with plugin WordPress Database Backup 2.1 and higher. It
works at users with any rights (even Subscriber) in all versions of
WordPress (until WP 2.8.1) via using above-mentioned Privileges unchecked
vulnerability.
http://site/wp-content/plugins/wp-db-backup.php
Vulnerability works in all versions of WordPress Database Backup (including
it's not fixed in the last version WP-DB-Backup 2.2.2) in all versions of
WordPress.
------------------------------
Protection against these vulnerabilities.
------------------------------
For protection it's possible to fix these Full path disclosure
vulnerabilities by yourself (as others FPD in WordPress).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists