SecuriTeam - WordPress CSRF Protection XSS Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

WordPress was "born out of a desire for an elegant, well-architectured personal publishing system built on PHP and MySQL and licensed under the GPL. It is the official successor of b2/cafelog. WordPress is fresh software, but its roots and development go back to 2001. It is a mature and stable product. We hope by focusing on user experience and web standards we can create a tool different from anything else out there".

While testing WordPress it was discovered that there is a XSS vulnerability in the CSRF protection of WordPress's administration interface. This might result in a compromise of the admin account and might result in the execution of arbitrary PHP code.

Credit:
The information has been provided by Stefan Esser.
The original article can be found at: http://www.hardened-php.net/advisory_012007.140.html

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* WordPress version 2.0.5 and prior

Immune Systems:
* WordPress version 2.0.6

The administration interface within WordPress comes with a token based CSRF protection. When a request is received with an invalid token it is not discarded like in many similar applications, but a warning screen is returned that asks the admin to verify the action by clicking on a link (that contains a valid token).

Unfortunately there was a bug in the way the request information (URL variables) was put into the new link. Due to this fault it was possible to break out of the HTML string context by embedding quotes and HTML tags into the names of URL variables.

Due to this is is possible to launch XSS attacks against admin users currently logged into their WordPress and perform all possible administrative actions (or simply steal the login cookie). Depending on the file permissions on the server (for example a writeable wp-config.php or template file) this can also be exploited to execute arbitrary PHP code.

Disclosure Timeline:
14. November 2006 - Notified security@wordpress.org
05. January 2007 - WordPress 2.0.6 release
05. January 2007 - Public Disclosure

Recommendation:
We strongly recommend to upgrade to WordPress 2.0.6 which also fixes several other security vulnerabilities not covered by this advisory: http://wordpress.org/download/

	Mozilla Bugzilla Multiple Vulnerabilities
	RealNetworks RealPlayer 11 HTTP Chunked Encoding Vulnerability
	HP OpenVMS RMS Local Escalation of Privilege
	Asterisk T.38 Remote Crash Vulnerability
	HP-UX running HP CIFS Server Remote Unauthorized Access
	HP Enterprise Cluster Master Toolkit Local Unauthorized Access
	Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
	Microsoft Virtual PC Hypervisor Memory Protection Vulnerability
	Apple WebKit HTML Element Use After Free Vulnerability
	Apple WebKit CSS Run-in Attribute Rendering Vulnerability
	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities