##########################################################
# GulfTech Security Research             June 28th, 2005
##########################################################
# Vendor  : WordPress
# URL     : http://wordpress.org/
# Version : WordPress 1.5.1.2 && Earlier
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's. There are a number of
vulnerabilities in WordPress that may allow an attacker to ultimately
run arbitrary code on the vulnerable system. These vulnerabilities
include SQL Injection, Cross Site Scripting, and also issues that may
aid an attacker in social engineering. An updated version of WordPress
is available and users are strongly advised to upgrade.



Cross Site Scripting:
There are a number of cross site scripting issues in the WordPress
personal publishing platform.

http://wordpress/wp-admin/post.php?action=confirmdeletecomment&p=1&
comment=22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/script%3E

http://wordpress/wp-admin/post.php?action=confirmdeletecomment&p=1
22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/script%3E&comment=2

Even though these vulnerabilities are in the admin section I still
consider them a higher risk than "normal" because if an attacker has
an admin's cookie data then he can forge a cookie, access the admin
section, and execute arbitrary code by inserting malicious php into
an existing plugin. Also, if you are thinking that the referrer check
in wordpress prevents this particular vulnerability then you are mistaken.



SQL Injection:
WordPress comes with it's own built in XMLRPC server server, and this
XMLRPC server is enabled by default. The problem here though is that
a big part of WordPress preventative security measure comes from this.

if ( !get_magic_quotes_gpc() ) {
    $_GET    = add_magic_quotes($_GET   );
    $_POST   = add_magic_quotes($_POST  );
    $_COOKIE = add_magic_quotes($_COOKIE);
    $_SERVER = add_magic_quotes($_SERVER);
}

This code resides in the file wp-settings.php and prevents a number of
what would be SQL Injection attacks otherwise. However, the problem
with this bit of code and the XMLRPC server is that the XMLRPC server
receives it's data from the $HTTP_RAW_POST_DATA variable, and this data
is not sanitized by magic_quotes_gpc() or the previously mentioned code.
So, that leaves nearly every method that the XMLRPC server uses vulnerable
to attack. The following XML file could be used to gain an admin hash.

<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
    <params>
        <param><value><string>
        foobar' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM wp_users
        WHERE (user_login='admin' AND MID(user_pass,1,1)='2')/*
        </string></value></param>
        <param><value><string>http://host/?p=1#1</string></value>
        </param><param><value><string>admin</string></value></param>
    </params>
</methodCall>

The above XML file would return the message "The pingback has already been
registered" if the user admin had a password hash that starts with the 
number
two, otherwise we get an error. This vulnerability is VERY dangerous because
once an an attacker has admin access they can execute arbitrary php code by
placing it within an existing plugin, and the ONLY thing an attacker 
needs to
access the admin section is the user login name, and the password hash 
(it does
not need to be decrypted) to place in a cookie. Also, we can likely 
abuse one
of the login function calls within the XMLRPC server to get the same 
results
without needing a version of MySQL that supports the UNION functionality.



Forgotten Password Security Issues:
I am going to make a long story short here, and get to the point. If 
register
globals is on then an attacker may take advantage of an uninitialized 
variable
in wp-login.php and change the content of an email sent to the user by 
WordPress.
The problem occurs because the variable $message is never initialized before
being used, so if an attacker abuses this then the normal forgotten password
email message will simply be appended to the attackers message content.



Full Path Disclosure:
There are a number of these issues in wordpress. Below are a few examples.

http://wordpress/wp-admin/menu-header.php
http://wordpress/wp-atom.php?feed=1
http://wordpress/wp-rss.php?feed=1
http://wordpress/wp-rss2.php?feed=1

These issues can aide an attacker in further attacks on the affected system
by disclosing the full physical path on the affected server.



Solution:
A new version of WordPress has been released, and users should upgrade as
soon as possible. The non vulnerable version is 1.5.1.3



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00085-06282005



Credits:
James Bercegay of the GulfTech Security Research Team