[waraxe-2007-SA#059] - XSS in WordPress 2.3 ==================================================================== Author: Janek Vind "waraxe" Date: 27. October 2007 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-59.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. To run WordPress your host just needs a couple of things: PHP version 4.2 or greater MySQL version 4.0 or greater Vulnerabilities: Cross-Site Scripting (XSS) in "edit-post-rows.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Let's have a look inside "/wp-admin/edit-post-rows.php": ------------>[source code]<------------ ------------>[/source code]<----------- As we can see, array "posts_columns" is uninitialized and if we execute this php script directly, then arbitrary value for that variable can be delivered. This means, that reflective XSS exists here. And of course, "register_globals" must be "on" for this exploit to be successful. Proof of concept: http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]= //-----> See ya soon and have a nice day ;) <-----// How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get latest WordPress version 2.3.1: http://wordpress.org/latest.zip ... and update ASAP :) Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me! Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ Shameless advertise: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SHA Hash Calculator - http://sha1-hash-online.waraxe.us/ Biography Database - http://www.biosaxe.com/ ---------------------------------- [ EOF ] ----------------------------