Full Disclosure mailing list archives
Re: WordPress 4.2 stored XSS
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Mon, 27 Apr 2015 22:51:01 +0200
They're registered as part of Automattic - https://hackerone.com/automattic On Mon, Apr 27, 2015 at 10:41 PM, Scott Arciszewski <scott () arciszewski me> wrote:
The author added a note on his page: http://klikki.fi/adv/wordpress2.html Also, searching HackerOne does not reveal a public WordPress program, only WP-API. Does this mean that WordPress was privately participating in HackerOne for select hackers? If so, revealing that publicly is kind of rude. :( On Mon, Apr 27, 2015 at 11:55 AM, Anthony Ferrara <ircmaxell () gmail com> wrote:Just for clarification, was the project given a chance to fix this or notified in any way prior to public announcement? On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen <jouko () iki fi> wrote:*Overview* Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments.Thescript is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code ontheserver via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. *Details* If the comment text is long enough, it will be truncated when insertedinthe database. The MySQL TEXT type size limit is 64 kilobytes so thecommenthas to be quite long. The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in thesameway as the previous stored XSS vulnerabilities affecting WordPress. The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead ofusinganinvalid UTF-8 character to truncate the comment, this time anexcessivelylong comment text is used for the same effect. In these two cases the injected JavaScript apparently can't betriggeredinthe administrative Dashboard, so these exploits require getting around comment moderation e.g. by posting one harmless comment first. *Proof of Concept* Enter the following as a comment: <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'></a> This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions5.1.53and 5.5.41. *Solution* Disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments. *Credits* The vulnerability was discovered by Jouko Pynnönen of Klikki Oy. An up-to-date version of this document:http://klikki.fi/adv/wordpress2.html-- Jouko Pynnönen <jouko () iki fi> Klikki Oy - http://klikki.fi - @klikkioy _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- WordPress 4.2 stored XSS Jouko Pynnonen (Apr 26)
- Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 26)
- Re: WordPress 4.2 stored XSS Hanno Böck (Apr 27)
- Re: WordPress 4.2 stored XSS Winni Neessen (Apr 27)
- Re: WordPress 4.2 stored XSS C0r3dump3d (Apr 28)
- Re: WordPress 4.2 stored XSS Winni Neessen (Apr 27)
- Re: WordPress 4.2 stored XSS Anthony Ferrara (Apr 27)
- Re: WordPress 4.2 stored XSS Fyodor (Apr 27)
- Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 27)
- Re: WordPress 4.2 stored XSS Ryan Dewhurst (Apr 27)
- Re: WordPress 4.2 stored XSS Scott Arciszewski (Apr 27)