Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: [WEB SECURITY] *****SPAM***** New Wordpress 2.2.1 Vulnerabilities and the First Weblog XSS Worm

Re: [WEB SECURITY] *****SPAM***** New Wordpress 2.2.1 Vulnerabilities and the First Weblog XSS Worm

From: <neil-webappsec-org_at_smithline.net>
Date: Wed, 01 Aug 2007 09:31:15 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
While in no way do I wish to take away from the value of your finding these problems (and providing such a convenient fix), your claims of having written "the first weblog worm" seem incorrect. See http://it.slashdot.org/it/05/10/14/126233.shtml?tid=172&tid=95&tid=220 for the entertaining story of one (presumably lonely) hacker, myspace.com, and the powers of exponential propagation. My favorite part is "/was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site/".

- - Neil

PS: Have you reported these problems directly to Wordpress? It might be nice if they could get an official patch out. I'm sure that they have a fairly complete list of users and hence can get these problems cleaned up in more sites in less time than this email will.

mybeni websecurity wrote:
> Hey Guys, this another one of my FD Releases!
>
> I found several critical Wordpress 2.2.1 Vulnerabilities, in detail
> explained here:
>
> http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/
>
> Plus I made - by using the Exploits I created during my research - the
> first weblog worm, but a "friendly" one: It guides people coming from
> their /wp-admin/ Wordpress Control Panel through the Patching process of
> 3 critical Security Vulnerabilities (XSS, Pers. XSS, SQLInjection), all
> based on Javascript and by using the Vulnerabilities. All you need is to
>  post a comment with a link to my blog
> http://mybeni.rootzilla.de/mybeNi/ to your own one and then, all you
> have to do is to click on the link e.g. in the comment Moderation area.
> My Server sees that you're Referring from an Admin Panel and the Worm
> Thingy will show up. Pictures and more are provided here:
> http://mybeni.rootzilla.de/mybeNi/2007/this_is_the_first_weblog_xss_worm/
>
>
> cheers,
>
> Benjamin Flesch
> mybeNi websecurity
> the 17yo who hacked google.
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Signed by GnuPG by Neil Smithline
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGsIsjLO8auUXcF7oRAo5kAJ4zQYFJphRoYJE4q4sRwPcbVDRHlgCgtmCY
0tM5lXZC0fIj5wXRbqEe8o4=
=/++T
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 01 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]