mailing list archives
Re: [MajorSecurity SA-080]WordPress 3.0.1 - Cross Site Scripting Issue
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 20 Aug 2010 23:58:08 +0300
Regarding this XSS in WordPress 3.0.1
(http://www.securityfocus.com/archive/1/513101/30/30/threaded) I'll note
about what I already wrote at my site last week. And already wrote to David.
That for the attack it's needed to know token (_wpnonce), which designed to
protect against CSRF attacks (which exists in WP 2.9.2 and previous versions
and must be in next versions), so practically it'll be hard to use this XSS.
Note, that versions WordPress 2.0.x aren't vulnerable, because they have not
such functionality. But, as I checked, vulnerable are versions 2.7 - 2.9.2
(similarly as in case of versions 3.0 and 3.0.1). Also vulnerable is WP
2.6.2, but it's needed to make attack differently in it (completely
different request), at that only POST request is possible (at that in WP 2.7
and higher as GET, as POST requests are possible). In WP 2.6.x this
functionality is implemented differently.
Also I'll note, that researcher stated, that attack is going via parameter
checked in script wp-admin/plugins.php, when parameter action equal
delete-selected. As I checked, XSS code can be set as in checked, as in
checked and so on, and also in checked. Besides in WP 2.8 - 2.9.2 (and
possibly in 3.0 and 3.0.1) it's possible to set as action equal
delete-selected, as action2 equal delete-selected, and in versions 2.7.х
it's possible to use only action.
Best wishes & regards,
Administrator of Websecurity web site