Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com
From: dave-san <dave () subverted org>
Date: Tue, 13 Nov 2007 23:51:58 -0700

Comments inline..

XSS Worm XSS Security Information Portal wrote:
*0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com]

Source:
http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/

There is a serious holes in wordpress 2.3 that can be used with XSS by a
blackhat hacker to attack the wordpress administrator and steal cookies from
blogmins. This attack is known as 0day because it has just been reported to
public and this is first day of public vulnerability, and *0day means
'published.*'
Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss
shellcode>


Hmm.. XSS shellcode? That's a new one for me. I'll take this to mean the 
injected script. From your post, I don't think you mean "shellcode" in 
the traditional sense.

This attack to be used against wordpress web blog blogmin to steal
blogosphere token to hack blogs. Of course we have included exploit code for
this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with
input validating. Maybe some of the xssworm.com readers can show us where
problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET['ff'] );
$myFilterType = intval( $_GET['ft'] );
$myFilterString = $_GET['fi'];
$myFilterInterval = $_GET['fd'];
$myFilterField = intval( $_GET['ff'] );
$myFilterType = intval( $_GET['ft'] );
$myFilterString = $_GET['fi'];
$myFilterInterval = $_GET['fd'];
'.(!empty($myFilterString)?'— <a
href="?page='.$_GET['page'].'&panel='.$_GET["panel"].'">'.__('Reset
filters', 'wp-slimstat').'</a>':").'
<input type="hidden" name="page" value="'.$_GET['page'].'" />
<input type="hidden" name="panel" value="'.$_GET["panel"].'" />
<input type="hidden" name="fd" value="'.$_GET["fd"].'" /></form>';


It's late, and I might have missed something, but from the above, I 
don't see where the vulnerable parameter is being written back to the 
HTML response. Therefore, I don't think there is enough code in the 
lines above to locate the entire issue (though it looks like other 
parameters are vulnerable too). You mentioned:

  ft=<xss shellcode>

So, in this example, "ft" is the vulnerable parameter. Trace what 
happens in code with that parameter after it receives input. I'd guess 
that there is something like..

   echo '<maybe some HTML crap here>'. $myFilterType .' more...

or

   echo '<ditto>'.$_GET["ft"].'<ditto>..

Perhaps take a look at where they missed the output formatting/encoding 
for HTML. I may be so bold as to suggest that the lack of output 
encoding is the major reason that XSS exists.

–snips

With programmor using $_GET variable from user into echo into html output
maybe php automatic GET validation filtering is not working for security? We
are not programmers of php so we cannot see any porblems here as bug are too
complex to understand.
Many thanks for your comments on this vulnerability in wordpress 2.4

..edit


Thanks vaj


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]