Advertisements

 WordPress - "PHP_SELF" XSS vulnerability

Thursday, 22 March 2007

Advisory : WordPress PHP_SELF Variable Handling XSS Vulnerability

Author : Alexander Concha <alex@buayacorp.com>
Application : WordPress (< 2.0.10 RC2, < 2.1.3 RC2)
Severity : PHP_SELF variable is not properly sanitized before output and it can be used to conduct an XSS attack over the Wordpress's CSRF protection. This flaw might result in the execution of arbitrary PHP code and other derived problems of XSS vulnerabilities.

Introduction
----------------
WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability.

http://wordpress.org/

Description
---------------
Wordpress does not sanitize PHP_SELF variable, so this value can be tricked to conduct XSS attacks and bypass the CSRF protection that is used in the administration interface.

wp-admin/vars.php:

if ( preg_match('#([^/]+\.php)$#', $PHP_SELF, $self_matches) ) {
$pagenow = $self_matches[1];
}

wp-admin/functions.php (wp_nonce_ays function):

$html .= "\t<form method='post' action='$pagenow'>\n";

From the code snippets, if $PHP_SELF has the following value:

index.php/'><img src=a onerror=alert(1)><.php

The html sent to the browser would be something like:

<form method='post' action=''><img src=a onerror=alert(1)><>

This behaviour is pretty dangerous because the onerror event handler can submit automatically the form and do any action that the logged user is allowed to.

Proof of Concept
-----------------------
A successful attack would require that the logged user has write capabilities over theme files, also the attacker must know the current theme of the target site.

The following PoC overrides the content of index.php in the default theme: http://www.buayacorp.com/files/wordpress/wordpress-theme-exploit.txt

Solution
-----------
Upgrade to 2.0.10-RC2 or 2.1.3-RC2

Disclosure Timeline
----------------------------
03/08/2007 - Bug found
03/15/2007 - Vendor contact
03/16/2007 - Wordpress 2.0.10-RC2 and 2.1.3-RC2 releases
03/17/2007 - Public Disclosure

Credits
-------
This vulnerability was discovered by Alexander Concha, at the same time it also has been reported on sla.ckers.org forums[1] by Jungsonn[2]

Alexander Concha <alex@buayacorp.com>
http://www.buayacorp.com
Cusco - Perú

[1] http://sla.ckers.org/forum/read.php?2,7935#msg-8006
[2] http://www.jungsonnstudios.com/blog/



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.