BugTraq
Multiple XSS Vulnerabilities in Wordpress 1.2.1 Dec 16 2004 06:21AM
Thomas Waldegger (bugtraq morph3us org)


Vendor : Wordpress

URL : http://wordpress.org/

Version: Wordpress 1.2.1

Risk: : XSS

* Description

WordPress is a state-of-the-art semantic personal

publishing platform with a focus on aesthetics, web

standards, and usability. [...]

Visit http://wordpress.org/ for detailed informations.

* Summary

After a quick reread of the wordpress source code I

was very disappointed about the improvements in the

new version 1.2.1 of wordpress. The developers did

not fix all flaws I mentioned in my last advisory

[1] and they did not improve the code of the files

in the administration panel. There were still a lot

of XSS vulnerabilities.

So I contaced the main developer again on October

28th and posted the notice about several security

flaws in their support forum to be sure the message

reaches the developers. On December 15th - yesterday

- they released a fixed version.

* Cross Site Scripting and similar flaws

The version 1.2.1 of wordpress was *more* vulnerable

than the 1.2 release cause of this new "feature"

in wp-login.php.

> // If someone has moved WordPress let's try to detect it

> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])

!= get_settings('siteurl') )

> update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .

$_SERVER['REQUEST_URI']) );

With an URI like

/wp-login.php?="><script>alert(document.cookie)</script><
/script>

an attacker was able to store arbitrary values in

the global siteurl setting.

Another issue was that an administrator or privileged

user was able to post messages, add new categories,

change profile values etc. with HTML code in it.

Still vulnerable in WP-1.2.1:

/wp-login.php?redirect_to=[XSS]

/wp-admin/bookmarklet.php?popupurl=[XSS]

/wp-admin/bookmarklet.php?content=[XSS]

XSS vulns they did not fix:

/wp-admin/edit-comments.php?s=[XSS]

/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]

/wp-admin/templates.php?file=[XSS]

/wp-admin/link-add.php?linkurl=[XSS]

/wp-admin/link-add.php?name=[XSS]

/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit

/wp-admin/link-manager.php?order_by=[XSS]

/wp-admin/link-manager.php?cat_id=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]

/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]

/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]

/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]

/wp-admin/post.php?content=[XSS]

/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL errors:

/index.php?m=bla

/wp-admin/edit.php?m=bla

/wp-admin/link-categories.php?cat_id=bla&action=Edit

* Solution

Upgrade to Worpress 1.2.2 [2]

* Credits

Thomas Waldegger

[1] http://www.securityfocus.com/archive/1/376766

[2] http://wordpress.org/development/2004/12/one-point-two-two/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus