SecurityvulnsSECURITYVULNS:DOC:28307XSS, Redirector and CSRF vulnerabilities in WordPress
Hello 3APA3A!
After seven previous vulnerabilities in Akismet, here are new holes. They take place in plugin Akismet for WordPress and it's core-plugin (since version WP 2.0), so these vulnerabilities concern WordPress itself. This is the second in series of advisories concerning vulnerabilities in Akismet.
These are Cross-Site Scripting, Redirector and Cross-Site Request Forgery vulnerabilities.
Affected products:
Vulnerable are Akismet 2.5.6 and previous versions and WordPress 2.0 - 3.4.1. Akismet 2.5.6 is bundled with the last versions 3.4 and 3.4.1 of WordPress.
Details:
XSS (WASC-08):
If the option "Auto-delete spam submitted on posts more than a month old" is turned on and at sending of spam comment to a post, which is older then 30 days, XSS and Redirector attacks are possible (and they can be conducted as on logged in admins and users, as on any visitors of the site). Vulnerable are all versions of Akismet with this functionality (before version 2.5.6).
It's needed to send POST request to http://site/wp-comments-post.php (similar to my previous exploit for XSS in comments) with setting of Referer header. This can be done via Flash or other methods. Last year I've wrote the article XSS attacks via User-Agent header (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-June/007909.html) and almost all of these methods can be used for Referer header.
Referer: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
At IIS web servers the redirect is going via Refresh header, and at other web servers - via Location header.
Redirector (URL Redirector Abuse) (WASC-38):
The attack is going with above-mentioned conditions. It's needed to send POST request to http://site/wp-comments-post.php (similar to my previous exploit for Redirector in comments) with setting of Referer header. This can be done via Flash or other methods.
Referer: http://attackers_site
At that in the last version Akismet 2.5.6 (which bundled with WP 3.4 and 3.4.1) these two vulnerabilities are fixed already (at that hiddenly, without any mentioning in readme.txt of the plugin or in announcements of WP). It looks like it has happened after my March or April advisory about XSS and Redirector vulnerabilities via redirectors in WP.
CSRF (WASC-09):
In Akismet < 2.0.2 (WordPress < 2.0.11) there was no protection against CSRF at all, except field for API key. Since version Akismet 2.0.2 the protection appeared, but not in all functionality.
CSRF vulnerability in function of saving configuration. Via POST request to script http://site/wp-admin/plugins.php?page=akismet-key-config it's possible to change configuration.
The attack will work only in WP < 2.0.3 (where there was not protection against CSRF in the engine) in old versions of Akismet (such as 2.0.2 and previous and some next).
CSRF vulnerability in function "Check network status". At GET request to page http://site/wp-admin/plugins.php?page=akismet-key-config the request is going to four Akismet servers with caching of the request.
For sending of requests to Akismet servers with bypassing of caching, it's possible to send POST request to this page. At active CSRF requests it's possible to make load on Akismet servers (especially if to attack from multiple servers).
WordPress Akismet CSRF.html
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/wp-admin/plugins.php?page=akismet-key-config" method="post">
<input type="hidden" name="check" value="1">
</form>
</body>
Timeline:
2012.02.23 - found vulnerabilities in Akismet 2.5.3. Later tested in other versions of the plugin from different versions of WordPress.
2012.07.02 - disclosed the first part of the holes.
2012.07.13 - disclosed the second part of the holes.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua