Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

WLB

WLB Database

Send to WLB

About WLB

RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityAlert

  Topic : WordPress XSS vulnerability in RSS Feed Generator
  SecurityAlert : 4662
  CVE : CVE-2008-5278
  CWE : CWE-79
  SecurityRisk : Low  alert  (About)
  Remote Exploit : Yes
  Local Exploit : No
  Victim interaction required : Yes
  Exploit Given : Yes
  Credit : Jeremias Reith
  Published : 02.12.2008

  Affected Software : wordpress:wordpress:2.6.1
wordpress:wordpress:2.6
wordpress:wordpress:2.5
wordpress:wordpress:2.5.1
wordpress:wordpress:2.3
wordpress:wordpress:2.2_revision5003
wordpress:wordpress:2.3.2
wordpress:wordpress:2.3.3
wordpress:wordpress:2.3:beta3
wordpress:wordpress:2.3.1
wordpress:wordpress:2.3:rc1
wordpress:wordpress:2.3.1:rc1
wordpress:wordpress:2.1.3_rc1
wordpress:wordpress:2.1.3
wordpress:wordpress:2.1.3_rc2
wordpress:wordpress:2.2.3
wordpress:wordpress:2.2_revision5002
wordpress:wordpress:2.2
wordpress:wordpress:2.2.2
wordpress:wordpress:2.2.1
wordpress:wordpress:2.2.0
wordpress:wordpress:2.1:alpha_3
wordpress:wordpress:2.0.8
wordpress:wordpress:2.0.9
wordpress:wordpress:2.0.3
wordpress:wordpress:2.0.4
wordpress:wordpress:2.0.5
wordpress:wordpress:2.0.6
wordpress:wordpress:2.0.7
wordpress:wordpress:2.1
wordpress:wordpress:2.1.1
wordpress:wordpress:2.1.2
wordpress:wordpress:2.0.10_rc2
wordpress:wordpress:2.0.11
wordpress:wordpress:1.5.1.3
wordpress:wordpress:1.5.2
wordpress:wordpress:2.0
wordpress:wordpress:2.0.1
wordpress:wordpress:2.0.10
wordpress:wordpress:2.0.10_rc1
wordpress:wordpress:1.6
wordpress:wordpress:2.0.2
wordpress:wordpress:1.3.1
wordpress:wordpress:1.5
wordpress:wordpress:1.5.1.2
wordpress:wordpress:1.5.1
wordpress:wordpress:1.2.1
wordpress:wordpress:1.2.2
wordpress:wordpress:1.5-strayhorn
wordpress:wordpress:1.5.1.1
wordpress:wordpress:1.4
wordpress:wordpress:1.2:beta
wordpress:wordpress:1.2-mingus
wordpress:wordpress:1.2-delta
wordpress:wordpress:1.0-platinum
wordpress:wordpress:1.0.2-blakey
wordpress:wordpress:1.0.1-miles
wordpress:wordpress:1.0.2
wordpress:wordpress:1.2
wordpress:wordpress:1.0
wordpress:wordpress:1.0.1
wordpress:wordpress:0.72:rc1
wordpress:wordpress:0.6.2.1:beta_2
wordpress:wordpress:0.6.2:beta_2
wordpress:wordpress:0.71-gold
wordpress:wordpress:0.711
wordpress:wordpress:0.72:beta1
wordpress:wordpress:0.72:beta2
wordpress:wordpress:0.7
wordpress:wordpress:0.71
wordpress:wordpress:0.6.2.1
wordpress:wordpress:0.72
wordpress:wordpress:0.6.2
wordpress:wordpress:2.6.3 and previous versions



  Advisory Text :  

===== noXSS.org Security Advisory ======

Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <jr (at) noxss (dot) org [email concealed]>
Published: 2008/11/25
Affected: WordPress < 2.6.5

Summary
=======

WordPress prior to v2.6.3 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.

Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.

Vulnerability Details
=====================

The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:

function self_link() {
echo 'http'
. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'
. $_SERVER['HTTP_HOST']
. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);

In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.

PoC
====

The Apache web server only disallows '/', '\' and '..' within the host
header. The header can therefore contain markup making the following
PoC possible:

curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>"
http://www.example.org/blog/feed

The given example request will return (without additional newlines):

-- snip --
...
<atom:link href="http://\">
<body onload=alert(String.fromCharCode(88,83,83))>
/blog/feed" rel="self" type="application/rss+xml" />
...
-- snip --

The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.

Exploit
=======

The following exploit is a semi-stored XSS attack and has been tested
with the following setup:

- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4

WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.

Request:
curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>"
http://www.example.org/blog/feed

Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.

The only missing the step is the calculation cached file's MD5 sum.

The following code generates the MD5 checksum:

php -r 'echo md5("\"><body
onload=alert(String.fromCharCode(88,83,83))>".
"/blog/feed"), "\n";'

In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.

Vendor Response
===============
2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?!0?Ú0?C Cçy&#179;&#177;&#232;&#190;;Ü??0|ó?0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing
CA0
080129113510Z
090128113510Z0B10UThawte Freemail Member10 *?H?÷
 jr (at) terragate (dot) net0 [email concealed]?"0
 *?H?÷
?0?
?&#179;&#198;+Z?Ö&#185;d&#224;yy
&#213;?!&#163;VaE&#209;?? + ë?&#248;&#236;&#200;?&#65533;
&#190;|ä­b&#227;&#161;&#186;1Á&#169;&#242;bc[|UÖ­h&#192;?úxy`=&#198;°@R&#1
91;ç&#165;&#197;/?o8Ýc&#172;z&#171;&#129;&#157;&#170;??4?&#251;&#217;&#2
24;{&#230;&#222;?~k&#190;iv&#192;]
dwu]S&#157;Ý&#179;&#161;kÄP?2 ~&#234;&#165;?^?&#200;á??&#219;&#141;&#19
5;&&#129;úhWo<?îM^K&#255;úp#eô?|^kQQ&#178;:´­&#182;&#230;'&#169;+?Ç
O&#195;&#143;ç&#191;w;??zC?&#255;U?O&#65533;YO)&#209;VW?&#209;xqI&#175;÷
ÎýË&#234;Ç?>?ö&#190;&#255;&#143;b=P-K&#195;ZÜâ"&#209;&#239;ëßÝIî??9&#166;
&#224;ÝU&#208;
&#163;&#163;-0+0U0&#129;jr (at) terragate (dot) net0 [email
concealed] U&#255;00
 *?H?÷
&#129;&#129;&#157;&#189;&#181;?&#234;á \ä&#185;.&#241;?e&#222;&#242;&
#183;D?m&#204;ë
&#171;w?U&#222;&#229;1@?B&#219;Ôs:í-&#162;Ç&#170;&#207;&#209;Hx&#179;G];
&#213;&#161;?&#249;?ÇKS&#216;&#183;?&#230;Ö?^E?jW6T
LZ?Z(`&#200;gI?Éç~w&#216;?&#219;E?&#254;f_XDQ*?&#234;?^ô!?×?&#166;&#241
;L&#222;&#65533;&#209;&#241;?&#170;0??0?¨ 
0
 *?H?÷
0&#129;&#209;1 0 UZA10U Western Cape10U Cape
Town10U
Thawte Consulting1(0&U Certification Services
Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing
CA0&#129;?0
 *?H?÷
&#129;&#141;0&#129;?&#129;&#129;Ä&#166;<UsU&#251;N&#185;&#202;?Zh&#1
92;up&#157;ßé&#255;&#163;&#236;&#189;Í&#245;[&#242;v&#189;&#65533; :a&#2
42;&#191;QÎÔ&#229;P
0×cZ,?p?ÝÉ&#240;+?Z&#170;?qVË&#175;< ç&#241;?6$*&#207;+&#213;ó?w=&#19
0;+&#254;&#187;>&#191;@?d×§&#166;&#187;?e&#209;&#197;*T?H&#65533;§&#18
2;&#209;<
a@dr`&#183;&#251;&#163;&#129;?0&#129;?0U&#255;0&#255;0
CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0
¤010UPrivateLabel2-1380
 *?H?÷
&#129;&#129;H?&#209;P?&#234; .&#204;
&#163;f&#172;g&#65533;&#175;&#172;&#190;Â&#161;C??&#157;&#65533;L!¸&#248;
6&#170;-?6/&#192;ôP
?p<ý­áab&#195;&#217;:~?&#177;?&#197; ?t?%P?bÇ&#219;'qW%&#141;Ý&#169;?9??
Oe_?Ú÷÷?Ö&#198;N&#174;ö&#234;4&#229;[5Mw&#227;V!x?Ü!5&#222;$&#177;ÓF&#
255;]_eO1?0? 0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing
CACçy&#179;&#177;&#232;&#190;;Ü??0|ó?0 + ?o0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
081125222111Z0# *?H?÷
 1-?&#217;hÍ?H&#189;íT??blÎ;Pí&#245;0&#129;? +?71x0v0b1 0 U
ZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing
CACçy&#179;&#177;&#232;&#190;;Ü??0|ó?0&#129;? *?H?÷
  1x v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing
CACçy&#179;&#177;&#232;&#190;;Ü??0|ó?0
 *?H?÷
?Ä&#181;Ub$!ö??Í?â&#170;cKâooG?&#161;uü&#240;Ôë×&#192;×9???´k?&
#177;W &#157;s&#174;2?k¸ô
&#198;x&#245;?&#157;Çé&#242;6É?&#232;&#240;&#161;Á"j5&#224;]{<Q[&#189;&#1
92;7Ú?\G:L?v??&#174;q&#170;Ü&#209;Á&#129;&#190;?G&#179;_&#185;SF¨~1~?&#23
2;ÁJ`&#210;?ç°0
h?g??T&#175;&#229;?Ö6ú&#224;j8]?&#227;&#230; ä&#236;D&#217;&#232;Î&#166;
&#254;Or|l?MâK2=Ö&#255;&#217;¤&#179;&#197;?Iá/l°?XR?p?
e3&#209;é?~¤ö×LÓ
?@&#162;: &#129;hÂXú&#179;&%&#202;&#204;`Ä>&#187; &#157;.QÄ&#195;T
&#189;9&#161;r,&#254;+9"J}
&#178;??UÎ;



  References :

http://www.securityfocus.com/archive/1/498652
http://wordpress.org/development/2008/11/wordpress-265/



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.

Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability

PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass

Copyright © SecurityReason. All Rights Reserved.