Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

  Omnistar Live Software Cross-Site Scripting Vulrnability

  SAXON version 5.4 Multiple Path Disclosure Vulnerabilities

  SAXON version 5.4 SQL Injection Vulnerability

  SAXON version 5.4 XSS Attack Vulnerability

From:Janek Vind <come2waraxe_(at)_yahoo.com>
Date:29 октября 2007 г.
Subject:[waraxe-2007-SA#059] - XSS in WordPress 2.3


[waraxe-2007-SA#059] - XSS in WordPress 2.3
====================================================================

Author: Janek Vind "waraxe"
Date: 27. October 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-59.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.

To run WordPress your host just needs a couple of things:

PHP version 4.2 or greater
MySQL version 4.0 or greater

Vulnerabilities: Cross-Site Scripting (XSS) in "edit-post-rows.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's have a look inside "/wp-admin/edit-post-rows.php":

------------>[source code]<------------
<?php foreach($posts_columns as $column_display_name) { ?>
       <th scope="col"><?php echo $column_display_name; ?></th>
<?php } ?>
------------>[/source code]<-----------

As we can see, array "posts_columns" is uninitialized and if we execute
this php script directly, then arbitrary value for that variable can be
delivered. This means, that reflective XSS exists here. And of course,
"register_globals" must be "on" for this exploit to be successful.

Proof of concept:

http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert
(123);</script>


//-----> See ya soon and have a nice day ;) <-----//

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Get latest WordPress version 2.3.1:

http://wordpress.org/latest.zip

... and update ASAP :)


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[email protected]
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SHA Hash Calculator - http://sha1-hash-online.waraxe.us/
Biography Database - http://www.biosaxe.com/

---------------------------------- [ EOF ] ----------------------------

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород