|
Brought to you by:
Suppliers of:
|
|
|
| |
| Wordpress-MU, or multi-user, "allows to run unlimited blogs with a single install of wordpress. It's widely used, some examples are WordPress.com or universities like Harvard". Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the targeted user cookies to gain administrator privileges. |
| |
Credit:
The information has been provided by Juan Galiana.
|
| |
Vulnerable Systems:
* Wordpress-MU versions prior to 2.6
Immune Systems:
* Wordpress-MU version 2.6 and newer
In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized.
Here is a poc:
PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS]
PoC: http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS]
The impact is the attacker can gain administrator privileges on the application.
Timeline:
May 14th, 2008 - Bug discovered
May 14th, 2008 - Vendor contacted and the start of a syncronized code patching
May 16th, 2008 - MU trunk code fixed
July 28th, 2008 - WPMU 2.6 released
September 2nd, 2008 - WPMU 2.6.1 released
September 29th, 2008 - Security advisory released
Solution:
Upgrade to version 2.6 or newer of wordpress multi-user. It can be downloaded from http://mu.wordpress.org
|
|
|
|
|
