| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 May 2012 16:01:53 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: IAA, Redirector and XSS vulnerabilities in WordPress Hello list! I want to warn you about security vulnerabilities in WordPress. These are Insufficient Anti-automation, Redirector and Cross-Site Scripting vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are WordPress 2.0 - 3.3.1. ---------- Details: ---------- Already from WP 2.0 there are Insufficient Anti-automation, Redirector and XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just when begun using WP in 2006. If the developers fixed vulnerabilities in previous two redirectors in WP 2.3, then these vulnerabilities were not fixed even in WP 3.3.1 IAA (WASC-21): Lack of captcha in comment form allows to conduct automated attacks. The developers still haven't put captcha in WP comments form (from the first version of engine), which besides IAA attacks, also allowed to conduct Redirector and XSS attacks. By default in WordPress the premoderation is turned on, and also there is built-in anti-spam filter. But if 10 years ago the premoderation would be enough, then long ago this mechanism couldn't be considered as sufficient protection against spam, and anti-spam filter had efficiency less then 1% - only few from spam messages he marked as spam. And also these mechanisms don't protect against below-mentioned attacks. Also plugin Akismet is bundled with WP, which is "captcha-less" protection against spam. But by default it's turned off and comparing with captcha it's considered as less efficient and also doesn't protect against below-mentioned attacks. Redirector (URL Redirector Abuse) (WASC-38): Exploit: http://websecurity.com.ua/uploads/2012/WordPress%20Redirector.html XSS (WASC-08): Exploit: http://websecurity.com.ua/uploads/2012/WordPress%20XSS.html XSS attack is possible on different browsers, but it's harder to conduct then in case of previous two redirectors (via data URI). At IIS web servers the redirect is going via Refresh header, and at other web servers - via Location header. Due to nuances of work of this script (filtering of important symbols and adding of anchor), for execution of JS code it's needed to use tricky bypass methods. This complexity exists as with javascript URI, as with combo variant javascript URI + data URI. Reliable captcha protects against IAA, Redirector and XSS vulnerabilities. ------------ Timeline: ------------ 2012.04.26 - disclosed at my site (http://websecurity.com.ua/5818/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists