XSS, Redirector and CSRF vulnerabilities in WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello list!

After seven previous vulnerabilities in Akismet, here are new holes. They
take place in plugin Akismet for WordPress and it's core-plugin (since
version WP 2.0), so these vulnerabilities concern WordPress itself. This is
the second in series of advisories concerning vulnerabilities in Akismet.

These are Cross-Site Scripting, Redirector and Cross-Site Request Forgery
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Akismet 2.5.6 and previous versions and WordPress 2.0 -
3.4.1. Akismet 2.5.6 is bundled with the last versions 3.4 and 3.4.1 of
WordPress.

----------
Details:
----------

XSS (WASC-08):

If the option "Auto-delete spam submitted on posts more than a month old" is
turned on and at sending of spam comment to a post, which is older then 30
days, XSS and Redirector attacks are possible (and they can be conducted as
on logged in admins and users, as on any visitors of the site). Vulnerable
are all versions of Akismet with this functionality (before version 2.5.6).

It's needed to send POST request to http://site/wp-comments-post.php
(similar to my previous exploit for XSS in comments) with setting of Referer
header. This can be done via Flash or other methods. Last year I've wrote
the article XSS attacks via User-Agent header
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-June/007909.html)
and almost all of these methods can be used for Referer header.

Referer:
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

At IIS web servers the redirect is going via Refresh header, and at other
web servers - via Location header.

Redirector (URL Redirector Abuse) (WASC-38):

The attack is going with above-mentioned conditions. It's needed to send
POST request to http://site/wp-comments-post.php (similar to my previous
exploit for Redirector in comments) with setting of Referer header. This can
be done via Flash or other methods.

Referer: http://attackers_site

At that in the last version Akismet 2.5.6 (which bundled with WP 3.4 and
3.4.1) these two vulnerabilities are fixed already (at that hiddenly,
without any mentioning in readme.txt of the plugin or in announcements of
WP). It looks like it has happened after my March or April advisory about
XSS and Redirector vulnerabilities via redirectors in WP.

CSRF (WASC-09):

In Akismet < 2.0.2 (WordPress < 2.0.11) there was no protection against CSRF
at all, except field for API key. Since version Akismet 2.0.2 the protection
appeared, but not in all functionality.

CSRF vulnerability in function of saving configuration. Via POST request to
script http://site/wp-admin/plugins.php?page=akismet-key-config it's
possible to change configuration.

The attack will work only in WP < 2.0.3 (where there was not protection
against CSRF in the engine) in old versions of Akismet (such as 2.0.2 and
previous and some next).

CSRF vulnerability in function "Check network status". At GET request to
page http://site/wp-admin/plugins.php?page=akismet-key-config the request is
going to four Akismet servers with caching of the request.

For sending of requests to Akismet servers with bypassing of caching, it's
possible to send POST request to this page. At active CSRF requests it's
possible to make load on Akismet servers (especially if to attack from
multiple servers).

WordPress Akismet CSRF.html

<body onLoad="document.hack.submit()">
<form name="hack"
action="http://site/wp-admin/plugins.php?page=akismet-key-config";
method="post">
<input type="hidden" name="check" value="1">
</form>
</body>

------------
Timeline:
------------

2012.02.23 - found vulnerabilities in Akismet 2.5.3. Later tested in other
versions of the plugin from different versions of WordPress.
2012.07.02 - disclosed the first part of the holes.
2012.07.13 - disclosed the second part of the holes.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/