OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Multiple XSS Vulnerabilities in Wordpress 1.2.1

From: Thomas Waldegger (bugtraqmorph3us.org)
Date: Thu Dec 16 2004 - 00:21:19 CST


Vendor : Wordpress
URL : http://wordpress.org/
Version: Wordpress 1.2.1
Risk: : XSS

* Description
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]

Visit http://wordpress.org/ for detailed informations.

* Summary
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
[1] and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.

So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.

* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
in wp-login.php.

> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
> update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']) );

With an URI like

/wp-login.php?="><script>alert(document.cookie)</script></script>

an attacker was able to store arbitrary values in
the global siteurl setting.

Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it.

Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]

XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit

* Solution
Upgrade to Worpress 1.2.2 [2]

* Credits
Thomas Waldegger

[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/