SecurityvulnsSECURITYVULNS:DOC:28242XSS, Redirector and FPD vulnerabilities in WordPress
Hello 3APA3A!
In June I've disclosed vulnerabilities in WordPress, which I'd present for you. They take place in plugin Akismet for WordPress and it's core-plugin (since version WP 2.0), so these vulnerabilities concern WordPress itself. This is the first in series of advisories concerning vulnerabilities in Akismet.
These are Cross-Site Scripting, Redirector and Full path disclosure vulnerabilities.
Affected products:
Vulnerable are Akismet 2.5.6 and previous versions and WordPress 2.0 - 3.4.1. Akismet 2.5.6 is bundled with the last versions 3.4 and 3.4.1 of WordPress.
Details:
XSS (WASC-08):
At GET request to script http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on version, in WP 3.x the last address is used).
With setting of Referer header. This can be done via Flash or other methods. Last year I've wrote the article XSS attacks via User-Agent header (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-June/007909.html) and almost all of these methods can be used for Referer header.
Referer: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
At IIS web servers the redirect is going via Refresh header, and at other web servers - via Location header.
Redirector (URL Redirector Abuse) (WASC-38):
At GET request to script http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on version, in WP 3.x the last address is used).
With setting of Referer header. This can be done via Flash or other methods.
Referer: http://attackers_site
In WP <= 2.0.11 (Akismet <= 2.0.2) via error in the plugin the XSS and Redirector attacks don't work, but they do work with newer versions of the plugin in different versions of WordPress (before 3.4).
At that in the last version Akismet 2.5.6 (which bundled with WP 3.4 and 3.4.1) these two vulnerabilities are fixed already (at that hiddenly, without any mentioning in readme.txt of the plugin or in announcements of WP). It looks like it has happened after my March or April advisory about XSS and Redirector vulnerabilities via redirectors in WP.
Full path disclosure (WASC-13):
Via above-mentioned error in the plugin the XSS and Redirector attacks don't work, but has place FPD at request to script (in old versions of Akismet, such as 2.0.2).
http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 (depending on version of WP).
Full path disclosure (WASC-13):
If previous FPD has place in the account, then these FPD don't require authorization.
http://site/wp-content/plugins/akismet/admin.php
http://site/wp-content/plugins/akismet/akismet.php
http://site/wp-content/plugins/akismet/legacy.php
http://site/wp-content/plugins/akismet/widget.php
Timeline:
2012.02.23 - found vulnerabilities in Akismet 2.5.3. Later tested in other versions of the plugin from different versions of WordPress.
2012.06.29 - disclosed at my site (http://websecurity.com.ua/5933/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua