This just affects the client though right? So doesn't DoS a WordPress blog, just presents an error message to the user if they click on a crafted link. How could this be used in the real world to cause any risk?
>From my understanding you'd have to get the user to click on the tinyurl, which would then show them a browser redirect error? If this is the case, how does this benefit an attacker? On Thu, Jun 27, 2013 at 7:28 PM, MustLive <[email protected]>wrote: > Hello list! > > These are Denial of Service vulnerabilities WordPress. Which I've > disclosed two days ago > (http://websecurity.com.ua/**6600/<http://websecurity.com.ua/6600/> > ). > > About XSS vulnerabilities in WordPress, which exist in two redirectors, I > wrote last year > (http://seclists.org/**fulldisclosure/2012/Mar/343<http://seclists.org/fulldisclosure/2012/Mar/343>). > About Redirector vulnerabilities in these WP scripts I wrote already in > 2007 (and made patches for them). The developers fixed redirectors in WP > 2.3, so Redirector and XSS attacks are possible only in previous versions. > > As I've recently checked, this functionality can be used for conducting > DoS attacks. I.e. to make Looped DoS vulnerabilities from two redirectors > (according to Classification of DoS vulnerabilities in web applications ( > http://websecurity.com.ua/**2663/) <http://websecurity.com.ua/2663/)>), > by combining web site on WordPress with redirecting service or other site. > This attack is similar to looping two redirectors, described in my articles > Redirectors' hell and Hellfire for redirectors. The interesting, that > looped redirector > (http://tinyurl.com/hellfire-**url<http://tinyurl.com/hellfire-url>), > which I've made at 5th of February 2009 for my article Hellfire for > redirectors, is still working. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are all versions of WordPress: for easy attack - WP 2.2.3 and > previous versions, for harder attack - WP 3.5.2 and previous versions. The > second variant of attack requires Redirector or XSS vulnerability at the > same domain, as web site on WP. > > ---------- > Details: > ---------- > > Denial of Service (WASC-10): > > It's needed to create Custom alias at tinyurl.com or other redirector > service, which will be leading to wp-login.php or wp-pass.php with setting > alias for redirection. > > http://site/wp-login.php?**action=logout&redirect_to=** > http://tinyurl.com/loopeddos1<http://site/wp-login.php?action=logout&redirect_to=http://tinyurl.com/loopeddos1> > > http://site/wp-pass.php?_wp_**http_referer=http://tinyurl.**com/loopeddos2<http://site/wp-pass.php?_wp_http_referer=http://tinyurl.com/loopeddos2> > > Here are examples of these vulnerabilities: > > http://tinyurl.com/loopeddos1 > > http://tinyurl.com/loopeddos2 > > This attack will work for WordPress < 2.3. At that Mozilla, Firefox, > Chrome and Opera will stop endless redirect after series of requests, > unlike IE. > > To make this attack work in all versions of the engine, including > WordPress 3.5.2, it's needed that redirector was on the same domain, as web > site on WP. For this it can be used any vulnerability, e.g. reflected XSS > or persistent XSS (at the same domain), for including a script for > redirecting to one of these redirectors: > > WordPress_Looped_DoS.html > > <script>document.location="htt**p://site/wp-login.php?action=** > logout&redirect_to=http://**site/WordPress_Looped_DoS.html<http://site/wp-login.php?action=logout&redirect_to=http://site/WordPress_Looped_DoS.html> > **"</script> > > WordPress_Looped_DoS-2.html > > <script>document.location="htt**p://site/wp-pass.php<http://site/wp-pass.php> > "</script> > > This attack will work as in WordPress 3.5.2 and previous versions, as it > isn't stopping by the browsers (endless redirect). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ______________________________**_________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
