Wordpress Forced Upgrade Vulnerability

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2008-001  
- Original release date: January 3rd, 2008  
- Last revised: December 22nd, 2008  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 2/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Wordpress is vulnerable to an unauthorized upgrade and XSS  
  
II. BACKGROUND  
-------------------------  
WordPress started in 2003 with a single bit of code to enhance the  
typography of everyday writing and with fewer users than you can count  
on your fingers and toes. Since then it has grown to be the largest  
self-hosted blogging tool in the world, used on hundreds of thousands  
of sites and seen by tens of millions of people every day. With a very  
active development and evolution.  
  
III. DESCRIPTION  
-------------------------  
If the WordPress is not the last version, anybody can upgrades the  
aplication using wp-admin/upgrade.php  
  
The snippet of vulnerable code:  
  
if (isset($_GET['step']))  
$step = (int) $_GET['step'];  
...  
switch($step) :  
case 0:  
$goback = clean_url(stripslashes(wp_get_referer()));  
...  
case 1:  
wp_upgrade();  
if ( empty( $_GET['backto'] ) )  
$backto = __get_option('home') . '/';  
...  
  
If step is set to one, the link "Have fun" is set to the backto  
parameter value, then is possible to make a Cross Site Attack to steal  
user sessions.  
  
IV. PROOF OF CONCEPT  
-------------------------  
http://www.victim.com/wp-admin/upgrade.php  
http://www.victim.com/wp-admin/upgrade.php?step=1&backto=http://www.The-attacker.org  
  
V. BUSINESS IMPACT  
-------------------------  
If the upgrade fails, the availibility of the wordpress could be  
affected. If the cross site attack succeeds, the confidentiality and  
integrity of the content will be afected.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All versions of wordpress are affected.  
  
VII. SOLUTION  
-------------------------  
Wordpress considered was not as serious as it seams. So no patch  
published for this issue.  
  
VIII. REFERENCES  
-------------------------  
http://www.wordpress.org  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
December 21, 2007: Initial release  
January 7, 2008: More details added.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
December 21, 2007: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
January 6, 2008: WordPress security contacted.  
January 11, 2008: WordPress security confirms they consider the  
vulnerability as low impact.  
December 22, 2008: Published  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`