Hello Bugtraq! I want to warn you about Cross-Site Scripting, Full path disclosure, Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial of Service vulnerabilities in WordPress. For all these attacks it's needed to have access to admin account, or to have account with rights for working with plugins. Or to attack admin or other user with required rights via XSS, to find out token which designed to protect against CSRF attacks. So users of WordPress don't need to worry much about these holes (if to not allow above-mentioned requirements). But these vulnerabilities will come in useful to security researchers at access to admin panel or at existence of XSS at the site. So it's better for WP developers to fix them. ------------------------- Affected products: ------------------------- Checked in WordPress 2.0.11, 2.6.2, 2.7, 2.8, 2.9.2, 3.0.1. Versions 2.0.х are not vulnerable, because they have not such functionality. Vulnerable to different vulnerabilities are WordPress 2.6 - 3.0.1 and potentially previous versions. ---------- Details: ---------- While commenting XSS vulnerability in WordPress 3.0.1 (http://www.securityfocus.com/archive/1/513250), I mentioned additional information concerning XSS vulnerability. These nuances concern and to below-mentioned vulnerabilities. It's possible to attack as via parameter checked[0], as via checked[1] and so on, and also via checked[]. In versions WP 2.7 and higher it's possible to use parameter action=delete-selected, and in versions 2.8 and higher it's also possible to use parameter action2=delete-selected. XSS (WASC-08): As I pointed out in above-mentioned letter, in WordPress 2.6.x Cross-Site Scripting attack is conducting differently. And there is almost no benefit from this XSS. For attack it's needed to send POST request to http://site/wp-admin/plugins.php with parameters _wpnonce equal token's value, delete-selected equal "Delete" and checked[] equal <body onload=alert(document.cookie)>. Vulnerable are WordPress 2.6.x and potentially previous versions. Full path disclosure (WASC-13): For attack it's needed to send POST request to http://site/wp-admin/plugins.php with parameters _wpnonce equal token's value, delete-selected equal "Delete" and checked[] equal "1". Vulnerable are WordPress 2.6.x and potentially previous versions. Full path disclosure (WASC-13): http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=1 http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). Full path disclosure (WASC-13): http://site/wp-admin/plugins.php Full path is shown at page with plugins. Vulnerable are WordPress 2.6 - 2.7.1. Information Leakage (WASC-13) + Directory Traversal (WASC-33): At page (in list under the link "Click to view entire list of files which will be deleted") the list of files in current folder and subfolders is shown. In folder http://site/wp-content/plugins/: http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]= http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]= In folder http://site/wp-content/: http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1 http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send appropriate POST request to http://site/wp-admin/plugins.php (as mentioned above). Arbitrary File Deletion (WASC-42) + DoS (WASC-10): If to send above-mentioned request with parameter verify-delete=1, then it's possible to delete files and folders in current folder and subfolders. Taking into account Directory Traversal it's possible to delete as all plugins, as all other files in other folders, including it's possible to conduct DoS attack on the site (if to delete important files of WP). E.g. with request checked[]=../../1 it's possible to delete the whole site. http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=../1&verify-delete=1 http://site/wordpress-2.9.2/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action2=delete-selected&checked[]=../1&verify-delete=1 Vulnerable are WordPress 2.7 - 3.0.1 (for parameter action2 - 2.8 and higher). And also WordPress 2.6.х. In versions 2.6.х it's needed to send appropriate POST request to http://site/wp-admin/plugins.php (as mentioned above). ------------ Timeline: ------------ 2010.08.14 - found the vulnerabilities. 2010.09.30 - disclosed at my site. As I already wrote many times to security mailing lists (http://www.securityfocus.com/archive/1/510274), starting from 2008 I never more inform WP developers about vulnerabilities in WordPress. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4575/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
