WordPress Persistent XSS

Posted by dk
December 27, 2006

Vulnerability Title: WordPress Persistent XSS
Author: David Kierznowski
Homepage: http://michaeldaw.org
Software Vendor: WordPress Persistent XSS
Versions affected: Confirmed in v2.0.5 (latest)

WordPress is a popular open source blogging software.
A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5.

Discussion:
When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using “open” IMG tags; this works under FF and IE.

Vulnerable code:
wp-admin/templates.php: 

[line 22]$recents = get_option('recently_edited');
[line 72]update_recently_edited($file);
[Line 116]:foreach ($recents as $recent) :
        echo "<li><a href='templates.php?file="
          . wp_specialchars($recent, true) . "'>"
          . get_file_description(basename($recent))
          . "</a></li>";

Vulnerable function: 

function get_file_description($file) {
        global $wp_file_descriptions;

        if (isset ($wp_file_descriptions[basename($file)])) {
                return $wp_file_descriptions[basename($file)];
        }
        elseif (file_exists(ABSPATH.$file)) {
                $template_data = implode('', file(ABSPATH.$file));
                if (preg_match("|Template Name:(.*)|i",
                   $template_data, $name))
                        return $name[1];
        }
        return basename($file);
}

Proof of concept: 

https://blogsite/wp/wp-admin/templates.php?file=%3Cimg%20src=''
           onerror=javascript:alert(document.cookie);%3E

Temp Fix:
Comment out the following line in wp-admin/templates.php
[Line 72] update_recently_edited($file);

WordPress was contacted: 26/12/06 22:04 BST
Reply received: 27/12/06 06:11 BST
WordPress has fixed this for v2.0.6 and a patch has been released
for v2.0.5, see
http://trac.wordpress.org/changeset/4665

Michael Daw's Hacks

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Pingback by BlogsYa » Encontrado un bug XSS en Wordpress 2.0.5 on 29 December 2006 @ 1:05 am

[...] Mi buen amigo Armonth, publicó hoy esta noticia sobre un fallo de XSS en la última versión de Wordpress (2.0.5). Parece ser que afecta a la función get_file_description($file) y que la gente de WP se ha puesto manos a la obra para solucionar el problema en la versión 2.0.6 que está proxima a ser pública. [...]

Pingback by Dario Salvelli’s Blog » Blog Archive » Wordpress Xss Vulnerability on 29 December 2006 @ 10:48 am

[...] Dal blog di Michael Daw è rimbalzata in più blog la vulnerabilità sofferta dalle versioni di Wordpress, nota piattaforma per la gestione dei blog, fino alla versione 2.0.5 relativa alla gestione XSS: si tratta dell’accesso a wp-admin/templates.php che dalla versione 2.0.x è accessibile solo dall’utente admin, quindi se l’account dell’amministratore è compromesso (cosa di per sè già abbastanza grave) potrebbero esserci gravi problemi. Nel caso contrario invece il team di Wordpress ha risolto questo problema nella prossima versione 2.0.6 mentre ha rilasciato questa patch per chi dispone della 2.0.5. Gli utenti più esperti possono provare le due versioni Release Candidate della prossima 2.0.6, la versione RC 1 e la RC 2 che credo sia stata già fixata da questo problema: come sempre feedback e segnalazioni nei commenti. Tags: blog, Voice over Net, wordpress 2.0.6, wordpress vulnerabilità wordpress xss vulnerabilityTechnorati:   blog, Voice over Net, wordpress 2.0.6, wordpress vulnerabilità, wordpress xss vulnerabilityShare and Enjoy on - Condividi su:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

Pingback by me.2you life | Немного о wp.. on 29 December 2006 @ 11:52 am

[...] Оказывается в Wordpress 2.0.5 существует уязвимость… A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5. // Operation n [...]

Trackback by Ugo Da Prato on 29 December 2006 @ 12:45 pm

Vulnerabilità in WordPress …

Sul sito Securiteam (da un articolo originale di Michael Daw) vengono date le informazioni necessarie per correggere una falla di sicurezza che riguarda la piattaforma WordPress 2.0.5 e precedenti:
A vulnerability in WordPress’s templates.php all…

Pingback by WordPress Wednesday: WordPress Vulnerability in 2.0.5 Downwards » Techtites on 3 January 2007 @ 2:03 am

[...] This is a different kind of WordPress tip, but a highly essential one. A little towards the end of last year, David Kierznowski discovered a minor security flaw, a flaw nonetheless in WordPress version 2.0.5. It is possible that all lower versions are affected as well. [...]

Pingback by WordPress XSS vulnerability in template.php * Stellify on 3 January 2007 @ 11:34 am

[...] David Kierznowski explains what part of the WP file is causing this: When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using “open” IMG tags; this works under FF and IE. [...]

Pingback by WordPress Template.php HTML Injection Vulnerability on 3 January 2007 @ 4:47 pm

[...] WordPress Persistent XSS [...]

Pingback by WordPress Cross Site Scripting Vulnerability in templates.php Uncovered at The Blog Herald on 4 January 2007 @ 1:27 pm

[...] David Kierznowski writes at Operation N: When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using “open” IMG tags; this works under FF and IE. [...]

Pingback by Eine gute und eine schlechte Neuigkeit zu Wordpress — Software Guide on 4 January 2007 @ 10:19 pm

[...] Bekannt ist diese Lücke wohl schon seit dem 27. Dezember, wie man bei dem Entdecker (?) Operation n nachlesen kann. techbuzz listet alle betroffenen stabilen Wordpress-Versionen. [...]

Trackback by Uewkes on 5 January 2007 @ 1:35 am

Sicherheitslücke?!…

Wah, wieso informiert mich denn keiner, ausser der Zufall?!
Diese Geschichten rund um XSS sind doch fies, wobei alle Sachen die mit der Sicherheit zu tun haben, fies sind.
Hier wird die Lücke erklärt und gleich noch ein Link zum Patch bere…

Pingback by [blog.benbit.ch] » Blog Archive » XSS-Loch in Wordpress - angeblich on 5 January 2007 @ 8:40 am

[...] Angeblich, soll sich in Wordpress ein XSS-Sicherheitsloch befinden. [...]

Pingback by Potentially Dangerous Wordpress Vulnerability at FreshBlogger on 5 January 2007 @ 11:11 am

[...] Ashish Mohta of TechSpot has brought to my attention a potentially dangerous wordpress vulnerability that affects all users of wordpress versions below 2.0.6. A relatively minor coding error exists that could allow a malicious user to inject code into your wordpress loop apparently. More technical information is available on this post by David Kierznowski at Operation N. The fix looks to be pretty simple and an official patch is available from the wordpress trac site. Thanks, Ashish for ringing the alarm bell for us! Share this post:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

Pingback by Kritische XSS-Lücke in Wordpress entdeckt » SeoFreak SEO Blog on 6 January 2007 @ 12:05 am

[...] Soeben auf Franks SEO Blog gelesen… Es gibt eine XSS Sicherheitslücke in Wordpress, die als kritisch eingestuft wird. Das Problem betrifft alle Wordpress Version von der aktuellen 2.06 beta an abwärts. Alle bisherigen Wordpress Versionen bis einschließlich 2.06 sollen laut SecurityFocus betroffen sein. Damit niemand auf dumme Gedanken kommt, liefert Wordpress für die unter dem Namen “Wordpress templates.PHP HTML Injection Vulnerability” bekannt gewordenen Sicherheitslücke ihrem kostenfreien und stark verbreiteten Blog- und Content-Management-System auch gleich einen entsprechenden Patch. Die XSS Fraktion unter den Dunkelhüten wird aber wohl angesichts der Natur des “gemeinen Bloggers” trotzdem eine ganze Weile ihren Spaß dran haben… [...]

Pingback by Blogwartung » Wordpress-Update und Feedburner-Probleme on 7 January 2007 @ 2:55 pm

[...] Vor ein paar Tagen wurde eine kritische Sicherheitslücken in allen Wordpress Versionen bis 2.0.5 bekannt, die es ermöglichen, PHP-Code auf dem Webserver auszuführen bzw. einen Admin-Account zu erbeuten. Die Wordpress-Entwickler reagierten schnell und haben am Freitag Wordpress 2.0.6 herausgebracht, und bei Wordpress Deutschland gibt es bereits eine deutschsprachige Version und ein Upgrade-Paket zum Download. [...]

Pingback by Recommended Update: WordPress 2.0.6 at The Blog Herald on 7 January 2007 @ 8:33 pm

[...] Blog Software Jan 7 at 6:31 pm by Markku Seguerra -In light of the recently reported cross–site scripting vulnerabilities in WordPress, version 2.0.6 has been released to address the said issues in the templates.php file as detailed in these entries from Operation N and Security Focus. (As cited in our related coverage.) [...]

Pingback by 發呆也是辛福 » WP upgrade to 2.0.6 on 8 January 2007 @ 11:52 am

[...] Reference: Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability WordPress Persistent XSS [...]

Pingback by tikitak-o-mirror » Bug XSS en Wordpress 2.0.5 on 12 January 2007 @ 8:07 am

[...] Hoy veo en anieto2k que se encontro un bug XSS en wordpress 2.0.5 que afecta a la función get_file_description($file), dicho problema ya esta solucionado en la version 2.0.6 RC2 de wordpress. [...]

Pingback by El blog de Vitrubio » Actualización a la versión 2.0.6 de Wordpress on 13 January 2007 @ 7:15 pm

[...] corrección de un importante fallo de seguridad (descrito en el el blog LiewCF*), y descubierto por David Kierznowski*, que hace más que aconsejable la actualización. [...]

Pingback by gedex’s blog » Upgrading Wordpress and old bug issue on 8 June 2007 @ 4:38 pm

[...] WordPress Persistent XSS by David Kierznowski which affects the latest version v2.0.5. See Changeset 4665 [...]

Pingback by WordPress Maniac! » Noticias de la semana on 11 November 2007 @ 8:09 am

[...] Vía Diario a Borbo me entero de que finalmente despu[es de la versión 2.0.6 Beta 1, 2.0.6 RC1 y 2.0.6 RC2, finalmente liberan la última versión de la rama 2.0 en la cual ya se corrige el bug Persistent XSS. [...]

Leave a comment

(required)

(required)