[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTi=U1rgQqnEbs=c9r-+XtVXfFY=c+ikiCJn-3R+Q@mail.gmail.com>
Date: Mon, 4 Oct 2010 14:17:41 +0200
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Multiple vulnerabilities in WordPress 2 and 3
Hello MustStfu,
I want to warn you about a heavy inform security bug which is can be
found in of any linux distribution. also, one can if he has, then you
can exploit it on windows and mac os X.
For this type of attack, which i classify as a new bug category:
fapwhilereseach, you can log in with admin credentials and then delete
* /etc/passwd on linux and darwin
* \Windows\win.com
on win95 and above.
Also it is pissbile to change the wallpaper, remove NTLloader on XP
and other impotent files.
You can read everything on my site, where I announced this bug on
1971-02-29 and i have also you me in order to read, published there
and here on my site on another day.
All versions but the one mentioned not are vulnerable. but I warn you
- this can also be a problem with other systems.
I informed microsoft, but they did not respond :(
From now on they must face the consequenes, because I am not willing
to inform them about further bugs which i will be disclosing on next
day before this other day.
Have a nice different day.
2010/10/1 MustLive <mustlive@...security.com.ua>:
> Hello Full-Disclosure!
>
> I want to warn you about Cross-Site Scripting, Full path disclosure,
> Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
> of Service vulnerabilities in WordPress.
>
> For all these attacks it's needed to have access to admin account, or to
> have account with rights for working with plugins. Or to attack admin or
> other user with required rights via XSS, to find out token which designed to
> protect against CSRF attacks.
>
> So users of WordPress don't need to worry much about these holes (if to not
> allow above-mentioned requirements). But these vulnerabilities will come in
> useful to security researchers at access to admin panel or at existence of
> XSS at the site. So it's better for WP developers to fix them.
>
> -------------------------
> Affected products:
> -------------------------
>
> Checked in WordPress 2.0.11, 2.6.2, 2.7, 2.8, 2.9.2, 3.0.1. Versions 2.0.х
> are not vulnerable, because they have not such functionality. Vulnerable to
> different vulnerabilities are WordPress 2.6 - 3.0.1 and potentially previous
> versions.
>
> ----------
> Details:
> ----------
>
> While commenting XSS vulnerability in WordPress 3.0.1
> (http://www.securityfocus.com/archive/1/513250), I mentioned additional
> information concerning XSS vulnerability. These nuances concern and to
> below-mentioned vulnerabilities. It's possible to attack as via parameter
> checked[0], as via checked[1] and so on, and also via checked[]. In versions
> WP 2.7 and higher it's possible to use parameter action=delete-selected, and
> in versions 2.8 and higher it's also possible to use parameter
> action2=delete-selected.
>
> XSS (WASC-08):
>
> As I pointed out in above-mentioned letter, in WordPress 2.6.x Cross-Site
> Scripting attack is conducting differently. And there is almost no benefit
> from this XSS.
>
> For attack it's needed to send POST request to
> http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
> value, delete-selected equal "Delete" and checked[] equal <body
> onload=alert(document.cookie)>.
>
> Vulnerable are WordPress 2.6.x and potentially previous versions.
>
> Full path disclosure (WASC-13):
>
> For attack it's needed to send POST request to
> http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
> value, delete-selected equal "Delete" and checked[] equal "1".
>
> Vulnerable are WordPress 2.6.x and potentially previous versions.
>
> Full path disclosure (WASC-13):
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=1
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=1
>
> Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
> higher).
>
> Full path disclosure (WASC-13):
>
> http://site/wp-admin/plugins.php
>
> Full path is shown at page with plugins.
>
> Vulnerable are WordPress 2.6 - 2.7.1.
>
> Information Leakage (WASC-13) + Directory Traversal (WASC-33):
>
> At page (in list under the link "Click to view entire list of files which
> will be deleted") the list of files in current folder and subfolders is
> shown.
>
> In folder http://site/wp-content/plugins/:
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=
>
> In folder http://site/wp-content/:
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1
>
> http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1
>
> Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
> higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
> appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
> above).
>
> Arbitrary File Deletion (WASC-42) + DoS (WASC-10):
>
> If to send above-mentioned request with parameter verify-delete=1, then it's
> possible to delete files and folders in current folder and subfolders.
> Taking into account Directory Traversal it's possible to delete as all
> plugins, as all other files in other folders, including it's possible to
> conduct DoS attack on the site (if to delete important files of WP). E.g.
> with request checked[]=../../1 it's possible to delete the whole site.
>
> http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1&verify-delete=1
>
> http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1&verify-delete=1
>
> Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
> higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
> appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
> above).
>
> ------------
> Timeline:
> ------------
>
> 2010.08.14 - found the vulnerabilities.
> 2010.09.30 - disclosed at my site. As I already wrote many times to security
> mailing lists (http://www.securityfocus.com/archive/1/510274), starting from
> 2008 I never more inform WP developers about vulnerabilities in WordPress.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4575/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists