what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2007-01.140

Hardened-PHP Project Security Advisory 2007-01.140
Posted Jan 7, 2007
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

Hardened PHP Project Security Advisory - WordPress versions 2.0.5 and below are susceptible to a cross site scripting vulnerability.

tags | advisory, php, xss
SHA-256 | 2e3cbc0dfeeffe8d32e3e64641b81da4f32b8024d0bbc6b54762599b015b0f9a

Hardened-PHP Project Security Advisory 2007-01.140

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-


Advisory: WordPress CSRF Protection XSS Vulnerability
Release Date: 2007/01/05
Last Modified: 2007/01/05
Author: Stefan Esser [sesser@hardened-php.net]

Application: WordPress <= 2.0.5
Severity: The CSRF protection of WordPress's administration
interface is vulnerable to an XSS vulnerability
which might result in a compromise of the admin
account and the execution of arbitrary PHP code
on the server
Risk: Critical
Vendor Status: Vendor has released WordPress 2.0.6 which fixes this issue
References: http://www.hardened-php.net/advisory_012007.140.html


Overview:

Quote from http://www.wordpress.org
"WordPress was born out of a desire for an elegant, well-
architectured personal publishing system built on PHP and MySQL
and licensed under the GPL. It is the official successor of
b2/cafelog. WordPress is fresh software, but its roots and
development go back to 2001. It is a mature and stable product.
We hope by focusing on user experience and web standards we can
create a tool different from anything else out there."

While testing WordPress it was discovered that there is a XSS
vulnerability in the CSRF protection of WordPress's administration
interface. This might result in a compromise of the admin account
and might result in the execution of arbitrary PHP code.


Details:

The administration interface within WordPress comes with a token
based CSRF protection. When a request is received with an invalid
token it is not discarded like in many similar applications, but
a warning screen is returned that asks the admin to verify the
action by clicking on a link (that contains a valid token).

Unfortunately there was a bug in the way the request information
(URL variables) was put into the new link. Due to this fault it
was possible to break out of the HTML string context by embedding
quotes and HTML tags into the names of URL variables.

Due to this is is possible to launch XSS attacks against admin
users currently logged into their WordPress and perform all possible
administrative actions (or simply steal the login cookie).
Depending on the file permissions on the server (for example a
writeable wp-config.php or template file) this can also be
exploited to execute arbitrary PHP code.


Proof of Concept:

The Hardened-PHP Project is not going to release a proof of concept
exploit for this vulnerability.


Disclosure Timeline:

14. November 2006 - Notified security@wordpress.org
05. January 2007 - WordPress 2.0.6 release
05. January 2007 - Public Disclosure


Recommendation:

We strongly recommend to upgrade to WordPress 2.0.6 which also
fixes several other security vulnerabilities not covered by this
advisory.

http://wordpress.org/download/


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2007 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFnnflRDkUzAqGSqERAj0FAJ90O0DfF6ETzPOepDmSmERA34OoqwCeIgSP
hGSWX194r0vFm40tMaUc4bQ=
=R3/p
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close