[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Code Execution vulnerability в WordPress



Just for your (and everyone else's) information, Wordpress allows
Administrators to Edit Template code, as you may or may not know, is nothing
but plain PHP code.
Besides, Wordpress can be made to upload rogue addons (under this same
role), among many other things malicious Administrators might want to do.

At this point I don't think it makes the least sense to call such a feature
a vulnerability, not because it's not exploitable, but because of the simple
reason that when you're dead you should call it quits and stop fcking
pretending nothing happened to you. If that didn't hit, let me state it
plain and simple, if your server is compromised, there are ZERO reasons you
would want the attacker to not be able to install plugins simply because it
can't be done.

Yes, I'm in a mode and simply can't student clueless idiots trying to make
headlines with fancy irrelevant titles.

While at it, MustLive, here's a clue, PHP is one huge exploit; it can run
code(oh noes)!!




On Fri, Apr 29, 2011 at 7:13 PM, MustLive <mustlive@xxxxxxxxxxxxxxxxxx>wrote:

> Hello list!
>
> I want to warn you about Code Execution vulnerability in WordPress.
>
> SecurityVulns ID: 11622.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are versions WordPress 2.5 - 3.1.1. The new version 3.1.2 which
> released at 26th of April just after my disclosure also must be vulnerable.
> The attack via double extension will work at Apache with appropriate
> configuration.
>
> ----------
> Details:
> ----------
>
> Code Execution (WASC-31) attack is possible in WordPress via uploader. The
> attack can be conducted by users with roles Author, Editor and
> Administrator.
>
> In WordPress 2.5 - 2.8.4 it's possible to upload php scripts (1.php) in
> Media Library. In 2.5 - 2.7.1 the attack is possible only for
> Administrator.
> For Author and Editor it's not possible to upload 1.php, nor attack will
> work via double extensions.
>
> In version 2.8.5 it was prohibited also for Administrator. And even in 2.8
> -
> 2.8.5 for Author and Editor (and for Administrator in 2.8.5) it's
> impossible
> to upload 1.php, but it's possible to upload 1.php.txt.
>
> At that in WP 2.0 - 2.0.11 (where there were no Media Library) for all
> roles
> were prohibited to upload files with php extension (and bypassing method
> didn't work). As in versions 2.1.x, 2.2.x and 2.3.x. Only in WordPress 2.2
> (http://websecurity.com.ua/1276/) Alexander Concha found vulnerability,
> which allowed to upload files with php extension.
>
> In version 2.8.6 and higher it's already prohibited. The attack via double
> extensions (1.php.txt and 1.asp;.txt) will not work, but it's possible to
> use 1.phtml.txt (for all three roles) to execute code.
>
> ------------
> Timeline:
> ------------
>
> 2011.04.26 - disclosed at my site. As I already wrote many times to
> security
> mailing lists (http://www.securityfocus.com/archive/1/510274), starting
> from
> 2008 I never more inform WP developers about vulnerabilities in WordPress.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/5108/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/