WordPress version 2.3 is susceptible to a cross site scripting vulnerability in edit-post-rows.php.
088bb9a48f19e34fa6db61543f841501
[waraxe-2007-SA#059] - XSS in WordPress 2.3
====================================================================
Author: Janek Vind "waraxe"
Date: 27. October 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-59.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
To run WordPress your host just needs a couple of things:
PHP version 4.2 or greater
MySQL version 4.0 or greater
Vulnerabilities: Cross-Site Scripting (XSS) in "edit-post-rows.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's have a look inside "/wp-admin/edit-post-rows.php":
------------>[source code]<------------
<?php foreach($posts_columns as $column_display_name) { ?>
<th scope="col"><?php echo $column_display_name; ?></th>
<?php } ?>
------------>[/source code]<-----------
As we can see, array "posts_columns" is uninitialized and if we execute
this php script directly, then arbitrary value for that variable can be
delivered. This means, that reflective XSS exists here. And of course,
"register_globals" must be "on" for this exploit to be successful.
Proof of concept:
http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(123);</script>
//-----> See ya soon and have a nice day ;) <-----//
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get latest WordPress version 2.3.1:
http://wordpress.org/latest.zip
... and update ASAP :)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SHA Hash Calculator - http://sha1-hash-online.waraxe.us/
Biography Database - http://www.biosaxe.com/
---------------------------------- [ EOF ] ----------------------------
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!