WordPress CSRF Protection XSS Vulnerability

2007.01.09
Credit: Stefan Esser (sesser hardened-php net)
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-0106
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: WordPress CSRF Protection XSS Vulnerability Release Date: 2007/01/05 Last Modified: 2007/01/05 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: WordPress <= 2.0.5 Severity: The CSRF protection of WordPress's administration interface is vulnerable to an XSS vulnerability which might result in a compromise of the admin account and the execution of arbitrary PHP code on the server Risk: Critical Vendor Status: Vendor has released WordPress 2.0.6 which fixes this issue References: http://www.hardened-php.net/advisory_012007.140.html Overview: Quote from http://www.wordpress.org "WordPress was born out of a desire for an elegant, well- architectured personal publishing system built on PHP and MySQL and licensed under the GPL. It is the official successor of b2/cafelog. WordPress is fresh software, but its roots and development go back to 2001. It is a mature and stable product. We hope by focusing on user experience and web standards we can create a tool different from anything else out there." While testing WordPress it was discovered that there is a XSS vulnerability in the CSRF protection of WordPress's administration interface. This might result in a compromise of the admin account and might result in the execution of arbitrary PHP code. Details: The administration interface within WordPress comes with a token based CSRF protection. When a request is received with an invalid token it is not discarded like in many similar applications, but a warning screen is returned that asks the admin to verify the action by clicking on a link (that contains a valid token). Unfortunately there was a bug in the way the request information (URL variables) was put into the new link. Due to this fault it was possible to break out of the HTML string context by embedding quotes and HTML tags into the names of URL variables. Due to this is is possible to launch XSS attacks against admin users currently logged into their WordPress and perform all possible administrative actions (or simply steal the login cookie). Depending on the file permissions on the server (for example a writeable wp-config.php or template file) this can also be exploited to execute arbitrary PHP code. Proof of Concept: The Hardened-PHP Project is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 14. November 2006 - Notified security (at) wordpress (dot) org [email concealed] 05. January 2007 - WordPress 2.0.6 release 05. January 2007 - Public Disclosure Recommendation: We strongly recommend to upgrade to WordPress 2.0.6 which also fixes several other security vulnerabilities not covered by this advisory. http://wordpress.org/download/ GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2007 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFnnflRDkUzAqGSqERAj0FAJ90O0DfF6ETzPOepDmSmERA34OoqwCeIgSP hGSWX194r0vFm40tMaUc4bQ= =R3/p -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top