Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21070
HistoryDec 23, 2008 - 12:00 a.m.

[ISecAuditors Security Advisories] Wordpress is vulnerable to an unauthorized upgrade and XSS

2008-12-2300:00:00
vulners.com
21
JSON

=============================================
INTERNET SECURITY AUDITORS ALERT 2008-001

  • Original release date: January 3rd, 2008
  • Last revised: December 22nd, 2008
  • Discovered by: Jesus Olmos Gonzalez
  • Severity: 2/5
    =============================================

I. VULNERABILITY

Wordpress is vulnerable to an unauthorized upgrade and XSS

II. BACKGROUND

WordPress started in 2003 with a single bit of code to enhance the
typography of everyday writing and with fewer users than you can count
on your fingers and toes. Since then it has grown to be the largest
self-hosted blogging tool in the world, used on hundreds of thousands
of sites and seen by tens of millions of people every day. With a very
active development and evolution.

III. DESCRIPTION

If the WordPress is not the last version, anybody can upgrades the
aplication using wp-admin/upgrade.php

The snippet of vulnerable code:

if (isset($_GET['step']))
$step = (int) $_GET['step'];

switch($step) :
case 0:
$goback = clean_url(stripslashes(wp_get_referer()));

case 1:
wp_upgrade();
if ( empty( $_GET['backto'] ) )
$backto = __get_option('home') . '/';

If step is set to one, the link "Have fun" is set to the backto
parameter value, then is possible to make a Cross Site Attack to steal
user sessions.

IV. PROOF OF CONCEPT

http://www.victim.com/wp-admin/upgrade.php
http://www.victim.com/wp-admin/upgrade.php?step=1&backto=http://www.The-attacker.org

V. BUSINESS IMPACT

If the upgrade fails, the availibility of the wordpress could be
affected. If the cross site attack succeeds, the confidentiality and
integrity of the content will be afected.

VI. SYSTEMS AFFECTED

All versions of wordpress are affected.

VII. SOLUTION

Wordpress considered was not as serious as it seams. So no patch
published for this issue.

VIII. REFERENCES

http://www.wordpress.org

IX. CREDITS

This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY

December 21, 2007: Initial release
January 7, 2008: More details added.

XI. DISCLOSURE TIMELINE

December 21, 2007: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
January 6, 2008: WordPress security contacted.
January 11, 2008: WordPress security confirms they consider the
vulnerability as low impact.
December 22, 2008: Published

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

JSON