The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WordPress CSRF Protection XSS Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.wordpress.org> WordPress was "born out of a desire for an
elegant, well-architectured personal publishing system built on PHP and
MySQL and licensed under the GPL. It is the official successor of
b2/cafelog. WordPress is fresh software, but its roots and development go
back to 2001. It is a mature and stable product. We hope by focusing on
user experience and web standards we can create a tool different from
anything else out there".
While testing WordPress it was discovered that there is a XSS
vulnerability in the CSRF protection of WordPress's administration
interface. This might result in a compromise of the admin account and
might result in the execution of arbitrary PHP code.
DETAILS
Vulnerable Systems:
* WordPress version 2.0.5 and prior
Immune Systems:
* WordPress version 2.0.6
The administration interface within WordPress comes with a token based
CSRF protection. When a request is received with an invalid token it is
not discarded like in many similar applications, but a warning screen is
returned that asks the admin to verify the action by clicking on a link
(that contains a valid token).
Unfortunately there was a bug in the way the request information (URL
variables) was put into the new link. Due to this fault it was possible to
break out of the HTML string context by embedding quotes and HTML tags
into the names of URL variables.
Due to this is is possible to launch XSS attacks against admin users
currently logged into their WordPress and perform all possible
administrative actions (or simply steal the login cookie). Depending on
the file permissions on the server (for example a writeable wp-config.php
or template file) this can also be exploited to execute arbitrary PHP
code.
Disclosure Timeline:
14. November 2006 - Notified security@wordpress.org
05. January 2007 - WordPress 2.0.6 release
05. January 2007 - Public Disclosure
Recommendation:
We strongly recommend to upgrade to WordPress 2.0.6 which also fixes
several other security vulnerabilities not covered by this advisory:
<http://wordpress.org/download/> http://wordpress.org/download/
ADDITIONAL INFORMATION
The information has been provided by <mailto:sesser@hardened-php.net>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_012007.140.html>
http://www.hardened-php.net/advisory_012007.140.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
