[UNIX] Multiple Vulnerabilities in WordPress (pingback, local files)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 25 Jan 2007 15:45:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in WordPress (pingback, local files)
------------------------------------------------------------------------
SUMMARY
"WordPress is a blog publishing system written in PHP and backed by a
MySQL database." Multiple vulnerabilities exist in the XMLRPC and Pingback
implementation that are included with WordPress.
DETAILS
Vulnerable Systems:
* WordPress versions prior to 2.1
Immune Systems:
* WordPress version 2.1 and newer
WordPress is vulnerable to the attacks described in the pingback advisory.
In testing, a single PC on a T1 connection was able to cripple two dual
Xeon apache servers on separate 100Mb connection. This was accomplished by
sending out multiple requests to server A specifying a sourceURI on server
B that was a 1GB media file. This attack utilizes resources on server A
and server B, but not the malicious users machine.
Additionally, WordPress does not sanitize the sourceURI before passing it
to wp_remote_fopen(); This makes it possible to specify non-HTTP resources
to be read such as local files or ftp sources. In particular, a malicious
user can determine whether certain files exist on the local file system.
For example, the following request would help determine the version of
Linux being used:
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>/etc/SuSE-release</string></value>
</param>
<param>
<value><string>http://b.example.com/#p</string></value>
</param>
</params>
</methodCall>
If this file does not exist, fault 16 (source URI does not exist) will be
returned and if it does exist it is likely that fault 17 (source URI does
not contain a link to the target URI) will be returned. This works whether
curl or the fopen() stream is used, only the uri has to be changed. This
will not work if the webserver user can not read the file.
If the administrator has allowed automatic pingbacks to show up as
comments, it is possible for an attacker to have system information
display in that comment. For instance, an attacker could request a url on
the host with the following text in it:
<title>example</title><a href="valid targetURI">text</a>
If that showed up in the apache access_log or error_log, and the webserver
user had permission to read that file the above XMLRPC request, after
determining the OS, could specify the log as the sourceURI. This would
cause some of the log file to be displayed as a comment. The session file
for PHP would be a good target.
Recommendations:
Upgrade to Wordpress 2.1. The original recommendations made to the
WordPress security team can be found below. Please note that Wordpress
still does not check the content type, however the timeout has been set to
10 seconds and as such the impact of binary files is minimized.
The local file issues can be resolved by ensuring that the URI scheme is
HTTP. This also disallows other resources, such as ftp, from being read.
In order to prevent overly large files from being retrieved, a reasonable
timeout for curl and fopen should be set. Also, if content is missing a
compatible Content-Type (such as text/xml) it should not be read as it can
not be parsed. The attached patch is one possible solution to the issues
described above. There are some more significant design problems,
particularly with respect to pingback authentication. These are described
in the pingback advisory and are not addressed here, as there has been no
formal specification modification yet.
Disclosure Timeline:
01-24-2007 - Released
01-18-2007 - Response from Wordpress. Waiting on release of 2.1 to
disclose. Code base includes patch.
01-14-2007 - Notified security@xxxxxxxxxxxxx
References:
4tphi-sa-20070111-pingback - Weaknesses in pingback design
4tphi-sa-20070111-wordpress.diff - Patch to partially fix issues
ADDITIONAL INFORMATION
The information has been provided by <mailto:bmatheny@xxxxxxxxxxxxx>
Blake Matheny.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability
- Next by Date: [UNIX] DokuWiki fetch.php "media" XSS (HTTP Header-Splitting)
- Previous by thread: [NT] Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability
- Next by thread: [UNIX] DokuWiki fetch.php "media" XSS (HTTP Header-Splitting)
- Index(es):
Relevant Pages
|
|
