<<< Date Index >>>     <<< Thread Index >>>

Re: WordPress 2.0.1 Multiple Vulnerabilities



wp-content/ is also prone to directory listing


Javor Ninov aka DrFrancky

k4p0k4p0@xxxxxxxxxxx wrote:
> /*
> ---------------------------------------------------------------
> [N]eo [S]ecurity [T]eam [NST]® WordPress 2.0.1 Multiple Vulnerabilities
> ---------------------------------------------------------------
> Program : WordPress 2.0
> Homepage: http://www.wordpress.org
> Vulnerable Versions: WordPress 2.0.1 & lower ones
> Risk: Critical!
> Impact: XSS, Full Path Disclosure, Directory Listing
> 
> -> WordPress 2.0.1 Multiple Vulnerabilities <-
> ---------------------------------------------------------------
> 
> - Description
> ---------------------------------------------------------------
> WordPress is a state-of-the-art semantic personal publishing 
> platform with a focus on aesthetics, web standards, and usability. 
> What a mouthful. WordPress is both free and priceless at the same time.
> 
> - Tested
> ---------------------------------------------------------------
> Tested in localhost & many blogs
> 
> - Bug
> ---------------------------------------------------------------
> The vendor was contacted about some other coding errors that are not 
> described here, the vendor was noticed about these bugs when this 
> advisory was published.
> 
> <+ Multiple XSS +>
> There're multiple XSS in `post comment':
> 
> [1] `name' variable is not filtered when it's assigned to `value'
>     on the `<input>' in the form when the comment it's posted.
> [2] Happends the same as [1] with `website' variable.
> [3] `comment', this variable only filtered " and ' chars, this makes 
>     possible to use < and >, thus this permit an attacker to inject 
>     any HTML (or script) code that he/she want but without any " or ' 
>     character, this only happends if the user that post the comment it's 
>     the admin (any registered kind of `user'). 
> 
> If you (or victim) is a unregistered user, you can use " and ' in your 
> HTML/script Injection using `name' or `website' variables, but if the 
> victim is the admin or a registered user these 2 fields described above 
> aren't availabe in the form so you cannot even give a value to them.
> The only remaining option it's to use the `comment' variable but here 
> we have the problem that we cannot use " or ' in HTML/SCRIPT Injected and 
> we have to make the admin to post the comment (POST method).
> 
> <+ Full path disclosure & Directory listing +>
> When I discovered this bug, I reported it to some pepople before 
> public disclosure, I was noticed that this isn't new and I 
> decided to look why they haven't patch this bug. 
> 
> As this bug it isn't patched yet, I tryed to know why and I found 
> something like this in their forum (I don't know if the person 
> that posted this was the admin but it gives the explanation):
> (Something like the following, it's not textual).
> `... these bugs are caused by badly configured .ini file, it's not 
> a bug generated by the script so it cannot be accepted as a bug of 
> WordPress...'. This is not an acceptable answer, if you think it is, 
> a bug caused because of register_globals is Off it's .ini fault and not 
> the script, they have to be kidding, if they want to make good software, 
> they have to make as far as the language can, to prevent all bugs.
> 
> There're multiple files that don't check if they are been call 
> directly. This is a problem because they expect that functions 
> that the script is going to be called to be declared.
> This kind of bug it's taken as a Low Risk bug, but it can help 
> to future attacks.
> 
> - Exploit
> ---------------------------------------------------------------
> -- Cross Site Scripting (XSS)
> PoC:
> [1] Post a comment with the following values (as unregistered user):
>     (No possible profit)
> 
> Name   : "><script>alert("WordPress PoC from");</script>
> Mail   : neosecurityteam@xxxxxxx
> Website: "><script>alert("[N]eo[S]ecurity[T]eam 
> www.neosecurityteam.net");</script>
> Comment: www.neosecurityteam.net/foro/
> 
> The injected HTML code only affects the user that posted it, not others.
> 
> [2] This way it's more intresting and useful. 
> In this case the HTML Injected will stay in the board affecting each person 
> who see it. 
> But we have two problems:
> [I ]- This comment must be posted by the admin
> [II]- We only can use the `comment' field, because the admin form to make 
>       the comment doesn't need the `name' or `website'.
>       Also the injected code cannot have any " or ' chars.
> 
> Here are my solutions:
> [I ]- We cannot give to the admin a `malicius' URL to steal the cookie
>       because it isn't via GET, it's via POST. So the solution it's to 
>       make a copy form of the real one and set the default values to 
>       the corresonding field (`comment') to make the stealing.
>       Also make the form submit itself when the page loads. Thus, we give 
>       the admin the URL of this form and he/she will post the comment 
>       with the values we set before. :)
> [II]- We can only use this field to make the injection, the `big' problem 
>       its that we cannot use " or ' chars wich means that something like 
>       window.location = "http://www.google.com.uy";; won't work.
>      
> Here are some real examples:
> 
> - <script>alert(document.cookie)</script>
> - <script>alert(String.fromCharCode(80,111,67,32,111,102,32,87,111,114,
>   100,80,114,101,115,115,32,98,121,32,75,52,80,48,32,102,114,111,109,32,
>   78,83,84))</script>
> - <script src=http://www.neosecurityteam.net></script>
> - <script>document.location = String.fromCharCode(104,116,116,112,58,47,
>   47,119,119,119,46,110,101,111,115,101,99,117,114,105,116,121,116,101,
>   97,109,46,110,101,116)</script>
> 
> As you can see this bug it's exploitable, it's only knowing a bit 
> deeper how to do XSS under some conditions. There're more 
> possibilities than described above, investigate yourself. 
> 
> -- Full path disclosure & Directory Listing
> Directory Listing: www.victim.com/wordpress/wp-includes/
> 
> Full path disclosure:
> www.victim.com/wordpress/wp-includes/default-filters.php
> www.victim.com/wordpress/wp-includes/template-loader.php
> www.victim.com/wordpress/wp-admin/edit-form-advanced.php
> www.victim.com/wordpress/wp-admin/edit-form-comment.php
> www.victim.com/wordpress/wp-includes/rss-functions.php
> www.victim.com/wordpress/wp-admin/admin-functions.php
> www.victim.com/wordpress/wp-admin/edit-link-form.php
> www.victim.com/wordpress/wp-admin/edit-page-form.php
> www.victim.com/wordpress/wp-admin/admin-footer.php
> www.victim.com/wordpress/wp-admin/menu-header.php
> www.victim.com/wordpress/wp-includes/locale.php
> www.victim.com/wordpress/wp-admin/edit-form.php
> www.victim.com/wordpress/wp-includes/wp-db.php
> www.victim.com/wordpress/wp-includes/kses.php
> www.victim.com/wordpress/wp-includes/vars.php
> www.victim.com/wordpress/wp-admin/menu.php
> www.victim.com/wordpress/wp-settings.php
> 
> - Solutions
> ---------------------------------------------------------------
> <+ Cross Site Scripting (XSS) +>
> Change lines ~21 of 'wp-comments-post.php' to:
> $comment_author       = htmlentities(trim($_POST['author']));
> $comment_author_email = htmlentities(trim($_POST['email']));
> $comment_author_url   = htmlentities(trim($_POST['url']));
> $comment_content      = htmlentities(trim($_POST['comment']));
> 
> <+ Full Path Disclosure & Directory Listing +>
> In the first line of each vulnerable file you should write:
>  if (eregi('name_of_the_file.php', $_SERVER['PHP_SELF']))
>      die('You are not allowed to see this page directly');
> 
> - References
> ---------------------------------------------------------------
> http://NeoSecurityTeam.net/advisories/Advisory-17.txt
> 
> - Credits
> --------------------------------------------------------------
> Discovered by K4P0-> k4p0k4p0[at]hotmail[dot]com
> 
> [N]eo [S]ecurity [T]eam [NST]® - http://NeoSecurityTeam.net/
> 
> Irc.InfoGroup.cl #neosecurityteam
> Questions? (Eng | Spa) -> http://NeoSecurityTeam.net/foro/
> 
> - Greets
> ---------------------------------------------------------------
> Paisterist 
> HaCkZaTaN 
> Link 
> Daemon21 
> erg0t 
> NST Comunity!
> 
> @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
> '@@@@@''@@'@@@''''''''@@''@@@''@@
> '@@'@@@@@@''@@@@@@@@@'''''@@@
> '@@'''@@@@'''''''''@@@''''@@@
> @@@@''''@@'@@@@@@@@@@''''@@@@@
> */

Attachment: signature.asc
Description: OpenPGP digital signature