[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPKwhwtcy7JmSO6dqXKP17g++W8Kjhg2mg46ufzjUrEBHW_tMw@mail.gmail.com>
Date: Mon, 27 Apr 2015 17:01:50 -0400
From: Scott Arciszewski <scott@...iszewski.me>
To: Ryan Dewhurst <ryandewhurst@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] WordPress 4.2 stored XSS
"We also welcome bug reports for the open source projects WordPress,
BuddyPress, and bbPress."
Oh, I see. I was mistaken.
On Mon, Apr 27, 2015 at 4:51 PM, Ryan Dewhurst <ryandewhurst@...il.com>
wrote:
> They're registered as part of Automattic -
> https://hackerone.com/automattic
>
> On Mon, Apr 27, 2015 at 10:41 PM, Scott Arciszewski <scott@...iszewski.me>
> wrote:
>
>> The author added a note on his page: http://klikki.fi/adv/wordpress2.html
>>
>> Also, searching HackerOne does not reveal a public WordPress program, only
>> WP-API. Does this mean that WordPress was privately participating in
>> HackerOne for select hackers? If so, revealing that publicly is kind of
>> rude. :(
>>
>> On Mon, Apr 27, 2015 at 11:55 AM, Anthony Ferrara <ircmaxell@...il.com>
>> wrote:
>>
>> > Just for clarification, was the project given a chance to fix this or
>> > notified in any way prior to public announcement?
>> >
>> > On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen <jouko@....fi> wrote:
>> > > *Overview*
>> > > Current versions of WordPress are vulnerable to a stored XSS. An
>> > > unauthenticated attacker can inject JavaScript in WordPress comments.
>> The
>> > > script is triggered when the comment is viewed.
>> > >
>> > > If triggered by a logged-in administrator, under default settings the
>> > > attacker can leverage the vulnerability to execute arbitrary code on
>> the
>> > > server via the plugin and theme editors.
>> > >
>> > > Alternatively the attacker could change the administrator’s password,
>> > > create new administrator accounts, or do whatever else the currently
>> > > logged-in administrator can do on the target system.
>> > >
>> > >
>> > >
>> > >
>> > > *Details*
>> > > If the comment text is long enough, it will be truncated when
>> inserted in
>> > > the database. The MySQL TEXT type size limit is 64 kilobytes so the
>> > comment
>> > > has to be quite long.
>> > >
>> > > The truncation results in malformed HTML generated on the page. The
>> > > attacker can supply any attributes in the allowed HTML tags, in the
>> same
>> > > way as the previous stored XSS vulnerabilities affecting WordPress.
>> > >
>> > > The vulnerability bears a similarity to the one reported by Cedric Van
>> > > Bockhaven in 2014 (patched this week, after 14 months). Instead of
>> using
>> > an
>> > > invalid UTF-8 character to truncate the comment, this time an
>> excessively
>> > > long comment text is used for the same effect.
>> > >
>> > > In these two cases the injected JavaScript apparently can't be
>> triggered
>> > in
>> > > the administrative Dashboard, so these exploits require getting around
>> > > comment moderation e.g. by posting one harmless comment first.
>> > >
>> > >
>> > >
>> > >
>> > > *Proof of Concept*
>> > > Enter the following as a comment:
>> > >
>> > > <a title='x onmouseover=alert(unescape(/hello%20world/.source))
>> > > style=position:absolute;left:0;top:0;width:5000px;height:5000px
>> > > AAAAAAAAAAAA [64 kb] ...'></a>
>> > >
>> > >
>> > > This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions
>> 5.1.53
>> > > and 5.5.41.
>> > >
>> > >
>> > >
>> > >
>> > > *Solution*
>> > > Disable comments (Dashboard, Settings/Discussion, select as
>> restrictive
>> > > options as possible). Do not approve any comments.
>> > >
>> > >
>> > >
>> > >
>> > > *Credits*
>> > > The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.
>> > >
>> > > An up-to-date version of this document:
>> > http://klikki.fi/adv/wordpress2.html
>> > >
>> > >
>> > >
>> > > --
>> > > Jouko Pynnönen <jouko@....fi>
>> > > Klikki Oy - http://klikki.fi - @klikkioy
>> > >
>> > > _______________________________________________
>> > > Sent through the Full Disclosure mailing list
>> > > https://nmap.org/mailman/listinfo/fulldisclosure
>> > > Web Archives & RSS: http://seclists.org/fulldisclosure/
>> >
>> > _______________________________________________
>> > Sent through the Full Disclosure mailing list
>> > https://nmap.org/mailman/listinfo/fulldisclosure
>> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>> >
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists