mailing list archives
IAA, Redirector and XSS vulnerabilities in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 5 May 2012 16:01:53 +0300
I want to warn you about security vulnerabilities in WordPress.
These are Insufficient Anti-automation, Redirector and Cross-Site Scripting
Vulnerable are WordPress 2.0 - 3.3.1.
Already from WP 2.0 there are Insufficient Anti-automation, Redirector and
XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just when
begun using WP in 2006. If the developers fixed vulnerabilities in previous
two redirectors in WP 2.3, then these vulnerabilities were not fixed even in
Lack of captcha in comment form allows to conduct automated attacks. The
developers still haven't put captcha in WP comments form (from the first
version of engine), which besides IAA attacks, also allowed to conduct
Redirector and XSS attacks.
By default in WordPress the premoderation is turned on, and also there is
built-in anti-spam filter. But if 10 years ago the premoderation would be
enough, then long ago this mechanism couldn't be considered as sufficient
protection against spam, and anti-spam filter had efficiency less then 1% -
only few from spam messages he marked as spam. And also these mechanisms
don't protect against below-mentioned attacks. Also plugin Akismet is
bundled with WP, which is "captcha-less" protection against spam. But by
default it's turned off and comparing with captcha it's considered as less
efficient and also doesn't protect against below-mentioned attacks.
Redirector (URL Redirector Abuse) (WASC-38):
XSS attack is possible on different browsers, but it's harder to conduct
then in case of previous two redirectors (via data URI). At IIS web servers
the redirect is going via Refresh header, and at other web servers - via
Due to nuances of work of this script (filtering of important symbols and
adding of anchor), for execution of JS code it's needed to use tricky bypass
Reliable captcha protects against IAA, Redirector and XSS vulnerabilities.
2012.04.26 - disclosed at my site (http://websecurity.com.ua/5818/).
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- IAA, Redirector and XSS vulnerabilities in WordPress MustLive (May 05)