Multiple Remote Vulnerabilities in Wordpress

2007-01-25T00:00:00

Description

Advisory: Multiple Remote Vulnerabilities in Wordpress Advisory ID: 4tphi-sa-20070111-wordpress Release Date: 01-24-2007 Author: Blake Matheny (bmatheny@mobocracy.net) Software: WordPress < 2.1 Impact: Remote & Local DoS, File Disclosure Overview: From Wikipedia, "WordPress is a blog publishing system written in PHP and backed by a MySQL database." Multiple vulnerabilities exist in the XMLRPC and Pingback implementation that are included with Wordpress. Note that some issues discovered with Pingback affect other vendors as well. Please see the following advisory for details: 4tphi-sa-20070111-pingback Details: WordPress is vulnerable to the attacks described in the pingback advisory. In testing, a single PC on a T1 connection was able to cripple two dual Xeon apache servers on separate 100Mb connection. This was accomplished by sending out multiple requests to server A specifying a sourceURI on server B that was a 1GB media file. This attack utilizes resources on server A and server B, but not the malicious users machine. Additionally, WordPress does not sanitize the sourceURI before passing it to wp_remote_fopen(); This makes it possible to specify non-HTTP resources to be read such as local files or ftp sources. In particular, a malicious user can determine whether certain files exist on the local file system. For example, the following request would help determine the version of Linux being used: <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>/etc/SuSE-release</string></value> </param> <param> <value><string>http://b.example.com/#p</string></value> </param> </params> </methodCall> If this file does not exist, fault 16 (source URI does not exist) will be returned and if it does exist it is likely that fault 17 (source URI does not contain a link to the target URI) will be returned. This works whether curl or the fopen() stream is used, only the uri has to be changed. This will not work if the webserver user can not read the file. If the administrator has allowed automatic pingbacks to show up as comments, it is possible for an attacker to have system information display in that comment. For instance, an attacker could request a url on the host with the following text in it: <title>example</title><a href="valid targetURI">text</a> If that showed up in the apache access_log or error_log, and the webserver user had permission to read that file the above XMLRPC request, after determining the OS, could specify the log as the sourceURI. This would cause some of the log file to be displayed as a comment. The session file for PHP would be a good target. Recommendations: Upgrade to Wordpress 2.1. The original recommendations made to the Wordpress security team can be found below. Please note that Wordpress still does not check the content type, however the timeout has been set to 10 seconds and as such the impact of binary files is minimized. The local file issues can be resolved by ensuring that the URI scheme is HTTP. This also disallows other resources, such as ftp, from being read. In order to prevent overly large files from being retrieved, a reasonable timeout for curl and fopen should be set. Also, if content is missing a compatible Content-Type (such as text/xml) it should not be read as it can not be parsed. The attached patch is one possible solution to the issues described above. There are some more significant design problems, particularly with respect to pingback authentication. These are described in the pingback advisory and are not addressed here, as there has been no formal specification modification yet. Disclosure Timeline: 01-24-2007 - Released 01-18-2007 - Response from Wordpress. Waiting on release of 2.1 to disclose. Code base includes patch. 01-14-2007 - Notified security@wordpress.org References: 4tphi-sa-20070111-pingback - Weaknesses in pingback design 4tphi-sa-20070111-wordpress.diff - Patch to partially fix issues LEGAL NOTICES This advisory is being provided to you under the RFPolicy documented at http://www.wiretrip.net/rfp/policy.html. You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. -- Blake Matheny bmatheny@mobocracy.net http://mobocracy.net

{"id": "SECURITYVULNS:DOC:15855", "bulletinFamily": "software", "title": "Multiple Remote Vulnerabilities in Wordpress", "description": " \r\n Advisory: Multiple Remote Vulnerabilities in Wordpress\r\n Advisory ID: 4tphi-sa-20070111-wordpress\r\n Release Date: 01-24-2007\r\n Author: Blake Matheny (bmatheny@mobocracy.net)\r\n\r\n Software: WordPress < 2.1\r\n\r\n Impact: Remote & Local DoS, File Disclosure\r\n\r\n\r\n\r\nOverview:\r\n\r\n From Wikipedia, "WordPress is a blog publishing system written in PHP\r\nand backed by a MySQL database."\r\n \r\n Multiple vulnerabilities exist in the XMLRPC and Pingback\r\nimplementation that are included with Wordpress. Note that some issues\r\ndiscovered with Pingback affect other vendors as well. Please see\r\nthe following advisory for details: 4tphi-sa-20070111-pingback\r\n\r\n\r\n\r\nDetails:\r\n\r\n WordPress is vulnerable to the attacks described in the pingback\r\nadvisory. In testing, a single PC on a T1 connection was able to cripple\r\ntwo dual Xeon apache servers on separate 100Mb connection. This was\r\naccomplished by sending out multiple requests to server A specifying a\r\nsourceURI on server B that was a 1GB media file. This attack utilizes\r\nresources on server A and server B, but not the malicious users machine.\r\n\r\n Additionally, WordPress does not sanitize the sourceURI before passing\r\nit to wp_remote_fopen(); This makes it possible to specify non-HTTP\r\nresources to be read such as local files or ftp sources. In particular, a\r\nmalicious user can determine whether certain files exist on the local file\r\nsystem. For example, the following request would help determine the\r\nversion of Linux being used:\r\n <methodCall>\r\n <methodName>pingback.ping</methodName>\r\n <params>\r\n <param>\r\n <value><string>/etc/SuSE-release</string></value>\r\n </param>\r\n <param>\r\n <value><string>http://b.example.com/#p</string></value>\r\n </param>\r\n </params>\r\n </methodCall>\r\nIf this file does not exist, fault 16 (source URI does not exist) will be\r\nreturned and if it does exist it is likely that fault 17 (source URI does\r\nnot contain a link to the target URI) will be returned. This works\r\nwhether curl or the fopen() stream is used, only the uri has to be\r\nchanged. This will not work if the webserver user can not read the file.\r\n If the administrator has allowed automatic pingbacks to show up as\r\ncomments, it is possible for an attacker to have system information\r\ndisplay in that comment. For instance, an attacker could request a url on\r\nthe host with the following text in it:\r\n <title>example</title><a href="valid targetURI">text</a>\r\nIf that showed up in the apache access_log or error_log, and the\r\nwebserver user had permission to read that file the above XMLRPC request,\r\nafter determining the OS, could specify the log as the sourceURI. This\r\nwould cause some of the log file to be displayed as a comment. The session\r\nfile for PHP would be a good target.\r\n\r\n\r\n\r\nRecommendations:\r\n\r\n Upgrade to Wordpress 2.1. The original recommendations made to the\r\nWordpress security team can be found below. Please note that Wordpress\r\nstill does not check the content type, however the timeout has been set to\r\n10 seconds and as such the impact of binary files is minimized.\r\n\r\n The local file issues can be resolved by ensuring that the URI scheme\r\nis HTTP. This also disallows other resources, such as ftp, from being\r\nread. In order to prevent overly large files from being retrieved, a \r\nreasonable timeout for curl and fopen should be set. Also, if content is\r\nmissing a compatible Content-Type (such as text/xml) it should not be read\r\nas it can not be parsed. The attached patch is one possible solution to\r\nthe issues described above. There are some more significant design\r\nproblems, particularly with respect to pingback authentication. These are\r\ndescribed in the pingback advisory and are not addressed here, as there\r\nhas been no formal specification modification yet.\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n\r\n 01-24-2007 - Released\r\n 01-18-2007 - Response from Wordpress. Waiting on release of 2.1 to\r\n disclose. Code base includes patch.\r\n 01-14-2007 - Notified security@wordpress.org\r\n\r\n\r\n\r\nReferences:\r\n\r\n 4tphi-sa-20070111-pingback - Weaknesses in pingback design\r\n 4tphi-sa-20070111-wordpress.diff - Patch to partially fix issues\r\n\r\n\r\n\r\nLEGAL NOTICES\r\n\r\nThis advisory is being provided to you under the RFPolicy documented at\r\nhttp://www.wiretrip.net/rfp/policy.html. You are encouraged to read this\r\npolicy; however, in the interim, you have approximately 5 days to respond\r\nto this initial email.\r\n\r\n\r\n-- \r\nBlake Matheny\r\nbmatheny@mobocracy.net\r\nhttp://mobocracy.net", "published": "2007-01-25T00:00:00", "modified": "2007-01-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15855", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:20", "edition": 1, "viewCount": 10, "enchantments": {"score": {"value": 1.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7108"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7108"]}]}, "exploitation": null, "vulnersScore": 1.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645609367}}