mailing list archives
CSRF, DoS and IL vulnerabilities in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 17 Dec 2013 16:26:12 +0200
As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219),
I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new
vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at
my site for your attention). And this is translation of the second part of
These are Cross-Site Request Forgery, Denial of Service and Information
Leakage vulnerabilities in WordPress.
For CSRF and DoS vulnerable are WordPress 2.0.11 and previous versions
(which had this functionality). Instead of fixing the holes, developers
removed this functionality.
For Information Leakage vulnerable are WordPress 3.7.1 and previous
versions. And also WP 3.8, which was released at 14.12.2013 (since
developers traditionally made their new version "vulnerabilities
Cross-Site Request Forgery (WASC-09) / Denial of Service (WASC-10):
There is no protection against CSRF in retrospam functionality.
The request starts checking of the comments on stop-words, which overloads
the server. The more words in the list (and it's possible to add any amount
of them via XSS vulnerability) and the more comments at the site, the more
Cross-Site Request Forgery (WASC-09):
This request moves comments, including moderated ones, to moderation list.
It's just needed to set ids of comments.
Information Leakage (WASC-13):
At request to the page options.php it's possible to receive important data
from DB. As at access to admin panel, as it's possible to get content of the
page via XSS attack. Particularly different keys, salts, logins and
passwords, such as auth_key, auth_salt, logged_in_key, logged_in_salt,
nonce_key, nonce_salt, mailserver_login, mailserver_pass (the amount of
parameters depends on version of WP).
About leakage of login and password from e-mail account (which are saved in
DB in plain text) at other page of admin panel I wrote in previous advisory
(http://seclists.org/fulldisclosure/2013/Dec/135). This is the second page,
where there is a leakage of this data. It allows to take over this site
(including in the future, via password recovery function) and other sites,
where there is password recovery function, which will send letters to this
e-mail. Because an user may use his main e-mail account in the settings (I
saw such cases in Internet).
2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/).
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- CSRF, DoS and IL vulnerabilities in WordPress MustLive (Dec 17)