Full Disclosure mailing list archives
Denial of Service in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 27 Jun 2013 20:28:00 +0300
Hello list!These are Denial of Service vulnerabilities WordPress. Which I've disclosed two days ago (http://websecurity.com.ua/6600/).
About XSS vulnerabilities in WordPress, which exist in two redirectors, I wrote last year (http://seclists.org/fulldisclosure/2012/Mar/343). About Redirector vulnerabilities in these WP scripts I wrote already in 2007 (and made patches for them). The developers fixed redirectors in WP 2.3, so Redirector and XSS attacks are possible only in previous versions.
As I've recently checked, this functionality can be used for conducting DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors (according to Classification of DoS vulnerabilities in web applications (http://websecurity.com.ua/2663/)), by combining web site on WordPress with redirecting service or other site. This attack is similar to looping two redirectors, described in my articles Redirectors' hell and Hellfire for redirectors. The interesting, that looped redirector (http://tinyurl.com/hellfire-url), which I've made at 5th of February 2009 for my article Hellfire for redirectors, is still working.
------------------------- Affected products: -------------------------Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and previous versions, for harder attack - WP 3.5.2 and previous versions. The second variant of attack requires Redirector or XSS vulnerability at the same domain, as web site on WP.
---------- Details: ---------- Denial of Service (WASC-10):It's needed to create Custom alias at tinyurl.com or other redirector service, which will be leading to wp-login.php or wp-pass.php with setting alias for redirection.
http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1 http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2 Here are examples of these vulnerabilities: http://tinyurl.com/loopeddos1 http://tinyurl.com/loopeddos2This attack will work for WordPress < 2.3. At that Mozilla, Firefox, Chrome and Opera will stop endless redirect after series of requests, unlike IE.
To make this attack work in all versions of the engine, including WordPress 3.5.2, it's needed that redirector was on the same domain, as web site on WP. For this it can be used any vulnerability, e.g. reflected XSS or persistent XSS (at the same domain), for including a script for redirecting to one of these redirectors:
WordPress_Looped_DoS.html <script>document.location="http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html";</script> WordPress_Looped_DoS-2.html <script>document.location="http://site/wp-pass.php";</script>This attack will work as in WordPress 3.5.2 and previous versions, as it isn't stopping by the browsers (endless redirect).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 28)
- Re: Denial of Service in WordPress Jann Horn (Jun 28)
- Re: Denial of Service in WordPress Julius Kivimäki (Jun 29)
- Re: Denial of Service in WordPress Cool Hand Luke (Jun 30)
- Re: Denial of Service in WordPress MustLive (Jun 27)
- Re: Denial of Service in WordPress Ryan Dewhurst (Jun 27)
- Re: Denial of Service in WordPress Jann Horn (Jun 27)
- Re: Denial of Service in WordPress Michal Zalewski (Jun 27)
- Re: Denial of Service in WordPress MustLive (Jun 29)