August 2009 Archives

Tue Aug 11 11:06:53 CEST 2009

wordpress xss for <=2.8.1

The other day another wordpress exploit went public at milw0rm - it's just an XSS bug, though.
The input value in wordpress's comment Url-field turned out to be not escaped too well - they chose to let ' go through..
The injection is limited to a maximum length of, I don't remember it right now, about 200 characters I guess, and since wordpress secured the sessioncookie to httponly some versions ago, cookie stealing would be a bit more complicated.
So I chose to create a defacement link via onmouseover for the PoC. As soon as an admin would mouseover the name of the comment-creator, i.e. when moderating the comment, a blogpost is published with the message sent by the attacker thanks to the very convenient "quickpress"-form, hence the name.

In this very simple exploit you can choose whether to post as 'title' or 'content', also, you could move the $MESSAGE to be sent as comment instead of the author's name, because that is limited in length, too. When using comment as input field you can create very long posts, with some small adjustments you could even post html and javascript to the blog. Of couse, you could execute javascript to do lots of other things with to admin's browser, too.
Thankfully, this bug among others is fixed in Wordpress 2.8.2 and above.

Posted by iso | Permanent Link | Tags: php, web2.0, security, code | comments >>