lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004e01cc9cab$27a8db20$9b7a6fd5@ml>
Date: Sun, 6 Nov 2011 19:40:06 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Strictly social XSS vulnerability in WordPress

Hello list!

I want to warn you about Cross-Site Scripting vulnerability in WordPress.
Which I've found already at 15.10.2008 and to which all versions of
WordPress are vulnerable.

SecurityVulns ID: 12022.

There is Cross-Site Scripting vulnerability in WordPress, in this case
Strictly social XSS (http://websecurity.com.ua/5476/). At that at once of
two types of this XSS class: Strictly social XSS persistent (link with
JavaScript/VBScript) and Strictly social XSS persistent self-contained (link
with data with JavaScript). This is good example of these two types of
Strictly social XSS vulnerabilities (as all other examples of holes in
browsers, web applications and web sites mentioned in my article).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WordPress - WP 3.2.1 and previous versions.
I've tested in different 2.0.x versions, including 2.0.11, and in 3.1.1.

----------
Details:
----------

XSS (WASC-08):

In comment field (parameter comment):

<a href="javascript:alert(document.cookie)">test</a>
<a href="vbscript:MsgBox(document.cookie)">test</a>
<a
href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+">test</a>

The attack will work only if admin has published a comment, but not non-auth
user. For this it's possible to use CSRF vulnerability  in WordPress <=
2.1.2 (http://securityvulns.ru/Qdocument260.html). In the description of
this vulnerability ciri wrote about persistent XSS (which worked with CSRF),
but I was talking about Strictly social XSS. In new versions of WP, where
there is a protection against CSRF, it's possible to use reflected XSS hole
(or to use other techniques developed by me) for bypassing of this
protection and publishing of the comment with attacking code.

The developers had already fixed CSRF in WordPress 2.0.10 and 2.1.3, but
possibility of conducting Strictly social XSS (via anchor tag) still left
even in the last version of WP. The developers decided to not remove this
admin functionality, for complete fixing of XSS, limiting themselves to
fixing CSRF. So as above-mentioned persistent XSS, as Strictly social XSS
found by me, are still working.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/5481/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ