Multiple XSS Vulnerabilities in Wordpress 1.2.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple XSS Vulnerabilities in Wordpress 1.2.1
From: Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
Date: 16 Dec 2004 06:21:19 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Vendor : Wordpress
URL    : http://wordpress.org/
Version: Wordpress 1.2.1
Risk:  : XSS

* Description
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]

Visit http://wordpress.org/ for detailed informations.

* Summary
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
[1] and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.

So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.

* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
in wp-login.php.

> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
>    update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']) );

With an URI like

/wp-login.php?=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;/script&gt;

an attacker was able to store arbitrary values in 
the global siteurl setting. 

Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it. 

Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]

XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit

* Solution
Upgrade to Worpress 1.2.2 [2]

* Credits
Thomas Waldegger

[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/

Prev by Date: STG Security Advisory: [SSA-20041215-19] Vulnerability of uploading files with multiple extensions in MediaWiki
Next by Date: [MaxPatrol] SQL-injection in Ikonboard 3.1.x
Previous by thread: STG Security Advisory: [SSA-20041215-19] Vulnerability of uploading files with multiple extensions in MediaWiki
Next by thread: [MaxPatrol] SQL-injection in Ikonboard 3.1.x
Index(es):
- Date
- Thread