WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability
- From: Juan Galiana <jgaliana@xxxxxxxxx>
- Date: Mon, 29 Sep 2008 23:35:26 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:openpgp :content-type:content-transfer-encoding; bh=jl4N4DYaZAqUnzpICQo8XWtVCQ0tAyYZh9A46ybp3G8=; b=SuW9jiCQWPiPp0y04LQttc6IvsiqyWvAbUZCmo6AKGZbDhbiy0aOnRLBSNHAtt4DCo INklBy1/R2fTH3MqHa9NwWni/lHIS0pw0aCmHSVQUeq9YKLcVLZQSteKFFIycNMIYxFp LyOg2sRD4bIiHV2vXI0d9SsGGOuIxry1pPCuM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=tyd+CUSfJAsznVZxPAJIvnV8isdx6UQ/+tFBqSEDtzN+Ilhs5UHSk13hi1Eeccvodp s2ZZ0lodaTYVefz7Ff05yyZ6aE8a/iYy13JWN2J+UIm/OZ5i7sIuJs6WPX6oxNPLmuJj sGhWfAInXmAJXOXmtqzTc3rLzXLcIcPs3Sbo0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Openpgp: id=03FD1F2F
- User-agent: Thunderbird 2.0.0.17 (Macintosh/20080914)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- Security Advisory -
- - WordPress MU < 2.6 wpmu-blogs.php Crose Site Scrpting vulnerability -
- -----------------------------------------------------------------------
Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Url: http://mu.wordpress.org
Affected by: Coss Site Scripting Attack
I. Introduction.
Wordpress-MU, or multi-user, allows to run unlimited blogs with a
single install of wordpress. It's widely used, some examples are
WordPress.com or universities like Harvard
II. Description and Impact
Wordpress-MU is affected by a Cross Site Scripting vulnerability, an
attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privileges
In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized
Here is a poc:
PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS]
PoC:
http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS]
The impact is the attacker can gain administrator privileges on the
application.
III. Timeline
May 14th, 2008 - Bug discovered
May 14th, 2008 - Vendor contacted and the start of a syncronized
code patching
May 16th, 2008 - MU trunk code fixed
July 28th, 2008 - WPMU 2.6 released
September 2nd, 2008 - WPMU 2.6.1 released
September 29th, 2008 - Security advisory released
IV. Solution
Upgrade to version 2.6 or upper of wordpress multi-user. It can be
downloaded from http://mu.wordpress.org
V. Credits
Juan Galiana Lara
<jgaliana gmail com>
http://blogs.ua.es/jgaliana
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI4UoerJ7V/gP9Hy8RArw3AJkB1a1sgO5T9dvO9tbU0/QxE8DxFQCeJCiw
yFDGBIx6Q5oyIKNEq4ZZ4Wc=
=uQu6
-----END PGP SIGNATURE-----