lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Dec 2013 16:26:12 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: CSRF, DoS and IL vulnerabilities in WordPress

Hello list!

As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), 
I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new 
vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at 
my site for your attention). And this is translation of the second part of 
these holes.

These are Cross-Site Request Forgery, Denial of Service and Information 
Leakage vulnerabilities in WordPress.

-------------------------
Affected products:
-------------------------

For CSRF and DoS vulnerable are WordPress 2.0.11 and previous versions 
(which had this functionality). Instead of fixing the holes, developers 
removed this functionality.

For Information Leakage vulnerable are WordPress 3.7.1 and previous 
versions. And also WP 3.8, which was released at 14.12.2013 (since 
developers traditionally made their new version "vulnerabilities 
compatible").

----------
Details:
----------

Cross-Site Request Forgery (WASC-09) / Denial of Service (WASC-10):

There is no protection against CSRF in retrospam functionality.

http://site/wp-admin/options-discussion.php?action=retrospam

The request starts checking of the comments on stop-words, which overloads 
the server. The more words in the list (and it's possible to add any amount 
of them via XSS vulnerability) and the more comments at the site, the more 
overload.

Cross-Site Request Forgery (WASC-09):

http://site/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1

This request moves comments, including moderated ones, to moderation list. 
It's just needed to set ids of comments.

Information Leakage (WASC-13):

At request to the page options.php it's possible to receive important data 
from DB. As at access to admin panel, as it's possible to get content of the 
page via XSS attack. Particularly different keys, salts, logins and 
passwords, such as auth_key, auth_salt, logged_in_key, logged_in_salt, 
nonce_key, nonce_salt, mailserver_login, mailserver_pass (the amount of 
parameters depends on version of WP).

http://site/wp-admin/options.php

About leakage of login and password from e-mail account (which are saved in 
DB in plain text) at other page of admin panel I wrote in previous advisory 
(http://seclists.org/fulldisclosure/2013/Dec/135). This is the second page, 
where there is a leakage of this data. It allows to take over this site 
(including in the future, via password recovery function) and other sites, 
where there is password recovery function, which will send letters to this 
e-mail. Because an user may use his main e-mail account in the settings (I 
saw such cases in Internet).

------------
Timeline:
------------ 

2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists