Re: [MajorSecurity SA-080]WordPress 3.0.1 - Cross Site Scripting Issue

["MustLive" <mustlive () websecurity com ua>]

Hello Bugtraq!

Regarding this XSS in WordPress 3.0.1 
(http://www.securityfocus.com/archive/1/513101/30/30/threaded) I'll note 
about what I already wrote at my site last week. And already wrote to David. 
That for the attack it's needed to know token (_wpnonce), which designed to 
protect against CSRF attacks (which exists in WP 2.9.2 and previous versions 
and must be in next versions), so practically it'll be hard to use this XSS.

Note, that versions WordPress 2.0.x aren't vulnerable, because they have not 
such functionality. But, as I checked, vulnerable are versions 2.7 - 2.9.2 
(similarly as in case of versions 3.0 and 3.0.1). Also vulnerable is WP 
2.6.2, but it's needed to make attack differently in it (completely 
different request), at that only POST request is possible (at that in WP 2.7 
and higher as GET, as POST requests are possible). In WP 2.6.x this 
functionality is implemented differently.

Also I'll note, that researcher stated, that attack is going via parameter 
checked[0] in script wp-admin/plugins.php, when parameter action equal 
delete-selected. As I checked, XSS code can be set as in checked[0], as in 
checked[1] and so on, and also in checked[]. Besides in WP 2.8 - 2.9.2 (and 
possibly in 3.0 and 3.0.1) it's possible to set as action equal 
delete-selected, as action2 equal delete-selected, and in versions 2.7.х 
it's possible to use only action.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua