Vendor : Wordpress
URL : http://wordpress.org/
Version: Wordpress 1.2.1
Risk: : XSS
Visit http://wordpress.org/ for detailed informations.
So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
> update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']) );
With an URI like
/wp-login.php?="><script>alert(document.cookie)</script></script>
an attacker was able to store arbitrary values in
the global siteurl setting.
Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it.
Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]
XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]
SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit
Solution
Upgrade to Worpress 1.2.2 [2]
Credits
Thomas Waldegger
[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/