Full Disclosure mailing list archives
Strictly social XSS vulnerability in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 6 Nov 2011 19:40:06 +0200
Hello list! I want to warn you about Cross-Site Scripting vulnerability in WordPress. Which I've found already at 15.10.2008 and to which all versions of WordPress are vulnerable. SecurityVulns ID: 12022. There is Cross-Site Scripting vulnerability in WordPress, in this case Strictly social XSS (http://websecurity.com.ua/5476/). At that at once of two types of this XSS class: Strictly social XSS persistent (link with JavaScript/VBScript) and Strictly social XSS persistent self-contained (link with data with JavaScript). This is good example of these two types of Strictly social XSS vulnerabilities (as all other examples of holes in browsers, web applications and web sites mentioned in my article). ------------------------- Affected products: ------------------------- Vulnerable are all versions of WordPress - WP 3.2.1 and previous versions. I've tested in different 2.0.x versions, including 2.0.11, and in 3.1.1. ---------- Details: ---------- XSS (WASC-08): In comment field (parameter comment): <a href="javascript:alert(document.cookie)">test</a> <a href="vbscript:MsgBox(document.cookie)">test</a> <a href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+">test</a> The attack will work only if admin has published a comment, but not non-auth user. For this it's possible to use CSRF vulnerability in WordPress <= 2.1.2 (http://securityvulns.ru/Qdocument260.html). In the description of this vulnerability ciri wrote about persistent XSS (which worked with CSRF), but I was talking about Strictly social XSS. In new versions of WP, where there is a protection against CSRF, it's possible to use reflected XSS hole (or to use other techniques developed by me) for bypassing of this protection and publishing of the comment with attacking code. The developers had already fixed CSRF in WordPress 2.0.10 and 2.1.3, but possibility of conducting Strictly social XSS (via anchor tag) still left even in the last version of WP. The developers decided to not remove this admin functionality, for complete fixing of XSS, limiting themselves to fixing CSRF. So as above-mentioned persistent XSS, as Strictly social XSS found by me, are still working. I mentioned about this vulnerability at my site: http://websecurity.com.ua/5481/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Strictly social XSS vulnerability in WordPress MustLive (Nov 06)