——————-Summary—————-
Software: WordPress
Sowtware’s Web Site: http://www.wordpress.org
Versions: 2.0.0
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Low
—————–Description—————
There is some security bug in most poweful and common Blog Software, WordPress 2.0.0 (latest version) that allows attacker performe an XSS attack. bug is in result of poor checking quotations for user suplied variables in author’s website for not logged in users.
————–Exploit———————-
Here is an example, but a good scenario can exploit better.
goto a post,comment section
fill all fields correctly, but author’s website:
” onfocus=”alert(1)” onblur=”alert(1)
note to first coutation and loosed qoutation at end {for good exploit}
any user that want to fill author website’s field an alert will show;
————–Solution———————
Disable Comments for posts while vendor not provided patch.
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
myimei.com/security
90 Responses to “WordPress2.0.0~authors’website~XSS attack”
Something to say?
You must be logged in to post a comment.
test
Left by Test on February 15th, 2006
Who tests? test it: website:
dontforgetQuotations.com” onblur=”alert(2)” onfocus=”alert(2)
Left by imei on February 15th, 2006
Hi, have you tested WP 2.01 too? Can you suggest a patch to Matt?
Left by Fred on February 15th, 2006
It’s just saving the author info in a cookie in your browser. This isn’t affecting anybody but yourself.
WP filters those fields before they are stored in the comments database.
Left by Dougal Campbell on February 15th, 2006
imei:Dougal Campbell you’r right
but as i mentoined in advisory, it can exploit by a scenario. image a page with a 100,0% frameset that autosends a bad data to some weblog. if scenario was good you can thefth cookies {may not from weblogbut other section of site? ineach case it is a bug}
bbay
Left by imei on February 15th, 2006
Sorry friends. I have not any address about Matt? can any one say or report him here please. I dont Like he think i’m bad guy;
Left by imei on February 15th, 2006
Hi Imei,
I don’t think Matt will believe you’re a bad guy - you can probably get in touch with him through his weblog - http://www.photomatt.net/.
If you believe it’s a serious security flaw, then you can send an e-mail to security@wordpress.org
Left by Teli on February 16th, 2006
Hi, I’ve audited the code and found the same result as Dougal. Further, I cannot envision a scenario where such a poisoned cookie would work. The comment form only uses the commenter cookie if the visitor is not logged in.
You should send security issues to security@wordpress.org rather than publish them in this manner. If you can demonstrate a breach of security by the means you described above, please notify the devs at that address.
Thank you.
Left by Andy Skelton on February 16th, 2006
A patch to fix this is available at http://trac.wordpress.org/ticket/2454.
Left by David House on February 16th, 2006
Thank You David and Matt also.
I hope to be usefull in future
Left by imei on February 16th, 2006
salam.
ba man tamas dashte bashid :irc0d3r[4]yahoo[0]com
http://www.hackerz.ir
Left by Hessam-x on February 17th, 2006
?
Left by matt on February 17th, 2006
Hello Matt.
never mind.last comment from hessam.x was in our language persian.
thank you from your comment.
Left by imei on February 18th, 2006
http://www.securityfocus.com/archive/1/425043
http://www.securityfocus.com/bid/16656
Left by imei on February 24th, 2006
http://www.neosecurityteam.net/foro/
Left by ">alert("WordPress PoC from"); on March 3rd, 2006
test.com
Left by ">alert("WordPress PoC from"); on March 3rd, 2006
” onfocus=”alert(1)” onblur=”alert(1)
Left by " onfocus="alert(1)" onblur="alert(1) on March 3rd, 2006
Chees!
Left by ">alert("This is a hacker Website!"); on March 3rd, 2006
elektronik
Left by muratexc on March 30th, 2006
Too much information I am sure. I cannot seem to keep it simple. As long as these answers are….this is the edited version.
Left by SHAVED on June 15th, 2006