TUCoPS :: Web :: Blogs :: tb13162.htm

XSS in WordPress 2.3
- XSS in WordPress 2.3
- XSS in WordPress 2.3


=0D
[waraxe-2007-SA#059] - XSS in WordPress 2.3=0D
=====================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 27. October 2007=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-59.html=0D 
=0D
=0D
Target software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
WordPress is a state-of-the-art semantic personal publishing platform=0D
with a focus on aesthetics, web standards, and usability.=0D
=0D
To run WordPress your host just needs a couple of things:=0D
=0D
PHP version 4.2 or greater =0D
MySQL version 4.0 or greater =0D
=0D
Vulnerabilities: Cross-Site Scripting (XSS) in "edit-post-rows.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Let's have a look inside "/wp-admin/edit-post-rows.php":=0D
=0D
------------>[source code]<------------=0D
=0D
	=0D
=0D
------------>[/source code]<-----------=0D
=0D
As we can see, array "posts_columns" is uninitialized and if we execute=0D
this php script directly, then arbitrary value for that variable can be=0D
delivered. This means, that reflective XSS exists here. And of course,=0D
"register_globals" must be "on" for this exploit to be successful.=0D
 =0D
Proof of concept:=0D
=0D
http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]==0D 
=0D
=0D
//-----> See ya soon and have a nice day ;) <-----//=0D
=0D
How to fix:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Get latest WordPress version 2.3.1:=0D
=0D
http://wordpress.org/latest.zip=0D 
=0D
... and update ASAP :)=0D
=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb=0D
and anyone else who know me!=0D
Greetings to Raido Kerna.=0D
Tervitusi Torufoorumi rahvale!=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D 
Janek Vind "waraxe"=0D
=0D
Homepage: http://www.waraxe.us/=0D 
=0D
=0D
Shameless advertise:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
SHA Hash Calculator - http://sha1-hash-online.waraxe.us/=0D 
Biography Database - http://www.biosaxe.com/=0D 
=0D
---------------------------------- [ EOF ] ----------------------------=0D
=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH