[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] CSRF, DoS and IL vulnerabilities in WordPress

Hello list!

As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the second part of these holes.

These are Cross-Site Request Forgery, Denial of Service and Information Leakage vulnerabilities in WordPress.

Affected products:

For CSRF and DoS vulnerable are WordPress 2.0.11 and previous versions (which had this functionality). Instead of fixing the holes, developers removed this functionality.

For Information Leakage vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible").


Cross-Site Request Forgery (WASC-09) / Denial of Service (WASC-10):

There is no protection against CSRF in retrospam functionality.


The request starts checking of the comments on stop-words, which overloads the server. The more words in the list (and it's possible to add any amount of them via XSS vulnerability) and the more comments at the site, the more overload.

Cross-Site Request Forgery (WASC-09):


This request moves comments, including moderated ones, to moderation list. It's just needed to set ids of comments.

Information Leakage (WASC-13):

At request to the page options.php it's possible to receive important data from DB. As at access to admin panel, as it's possible to get content of the page via XSS attack. Particularly different keys, salts, logins and passwords, such as auth_key, auth_salt, logged_in_key, logged_in_salt, nonce_key, nonce_salt, mailserver_login, mailserver_pass (the amount of parameters depends on version of WP).


About leakage of login and password from e-mail account (which are saved in DB in plain text) at other page of admin panel I wrote in previous advisory (http://seclists.org/fulldisclosure/2013/Dec/135). This is the second page, where there is a leakage of this data. It allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet).

2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/).

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/