August 2009 Archives
Tue Aug 11 11:06:53 CEST 2009
wordpress xss for <=2.8.1
The other day another wordpress exploit went public at milw0rm - it's just an XSS bug, though.
The input value in wordpress's comment Url-field turned out to be not escaped too well - they chose to let
' go through..
The injection is limited to a maximum length of, I don't remember it right now, about 200 characters I guess, and since wordpress secured the sessioncookie to httponly some versions ago, cookie stealing would be a bit more complicated.
So I chose to create a defacement link via onmouseover for the PoC. As soon as an admin would mouseover the name of the comment-creator, i.e. when moderating the comment, a blogpost is published with the message sent by the attacker thanks to the very convenient "quickpress"-form, hence the name.
In this very simple exploit you can choose whether to post as 'title' or 'content', also, you could move the $MESSAGE to be sent as
Thankfully, this bug among others is fixed in Wordpress 2.8.2 and above.