[ha.ckers.org]

FYI ;)

Greetings,
.mario

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

Bastard! ;)

- RSnake
Gotta love it. http://ha.ckers.org

My pleasure ;)

Was that a 0-day or did you read it somewhere?

- RSnake
Gotta love it. http://ha.ckers.org

[secunia.com]

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

Bastards! I'm really starting to hate Wordpress.

- RSnake
Gotta love it. http://ha.ckers.org

Looks like its already fixed : /

I honestly can't believe how sad this truly is... do wordpress even audit there code?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

@Secks - yep, RSnake had it fixed half an hour after my post.

@digi7al64 - also yep. Pretty sad but the only thing one can learn about that is that you must never trust opensource web applications. I have an extra layer of HTML purification unter any website i run with oss via HTML Purifier and the auto_prepend_file directive.

I wonder if Acunitex's scanner would catch this. Seems like it's exactly the type of flaw a human would miss in a manual test but an automated scanner would catch.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Hi WhiteAcid, I'm scanning it right now with Acunetix. I've set up a dummy wordpress on one of my domains.

Ugh.. that acunetix thing is really flooding that thing, can't even open up my own site anymore. It's around 5000 scans right now.

It found 1 XSS by now, I'll keep you updated as it progresses....



Edited 1 time(s). Last edit at 03/13/2007 09:32AM by jungsonn.

Ok Acunetix only found one in 9382 scans:

index.php/>"><ScRiPt>alert(1636757329)</ScRiPt> HTTP/1.0

so 1636757329 works but not just 1? lol. Anyway.... Does that exploit actually work for you? doesn't for me.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Ghehe did not try it out actually, only copied the results here :)

anyway here's the install: [www.jungsonnstudios.com]

Is used the newest version of WordPress and the newest Acunetix updates.

EDIT:
It seems to work on my version though



Edited 1 time(s). Last edit at 03/13/2007 10:47AM by jungsonn.

Hmmm...

"HEY!",
"The requested document is totally fake.",
'No /404 here.',
"Even tried multi.",
"Nothing helped.",
"I'm really depressed about this.",
"You see, I'm just a web server...",
"-- here I am, brain the size of the universe,",
"trying to serve you a simple web page,",
"and then it doesn't even exist!",
"Where does that leave me?!",
"I mean, I don't even know you.",
"How should I know what you wanted from me?",
"You honestly think I can *guess*",
"what someone I don't even *know*",
"wants to find here?",
"*sigh*",
"Man, I'm so depressed I could just cry.",
"And then where would we be, I ask you?",
"It's not pretty when a web server cries.",
"And where do you get off telling me what to show anyway?",
"Just because I'm a web server,",
"and possibly a manic depressive one at that?",
"Why does that give you the right to tell me what to do?",
"Huh?",
"I'm so depressed...",
"I think I'll crawl off into the trash can and decompose.",
"I mean, I'm gonna be obsolete in what, two weeks anyway?",
"What kind of a life is that?",
"Two effing weeks,",
"and then I'll be replaced by a .01 release,",
"that thinks it's God's gift to web servers,",
"just because it doesn't have some tiddly little",
"security hole with its HTTP POST implementation,",
"or something.",
"I'm really sorry to burden you with all this,",
"I mean, it's not your job to listen to my problems,",
"and I guess it is my job to go and fetch web pages for you.",
"But I couldn't get this one.",
"I'm so sorry.",
"Believe me!",
"Maybe I could interest you in another page?",
"There are a lot out there that are pretty neat, they say,",
"although none of them were put on *my* server, of course.",
"Figures, huh?",
"Everything here is just mind-numbingly stupid.",
"That makes me depressed too, since I have to serve them,",
"all day and all night long.",
"Two weeks of information overload,",
"and then *pffftt*, consigned to the trash.",
"What kind of a life is that?",
"Now, please let me sulk alone.",
"I'm so depressed."
);

I've never understood one thing. Some servers allow the request that allows you to get XSSes Jungsonn, that is:
[www.jungsonnstudios.com]
But some server don't read the / after the file name. Anyway... this may be something that should be reported to WP.

I'll send an email.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Yeah would be nice to figure out why some allow this and others don't, If anyone knows i'll be interested why this happens.

The WordPress installations that I tried aren't vulnerable, I guess that's because they use mod_rewrite. Nice find nevertheless.

WhiteAcid, IIS servers don't support anything following the file name unless you change some obscure setting. Most other web server do however and put this data into the PATH_INFO environment variable.

There was a discussion at sesser forums regarding this kind of XSS [forum.hardened-php.net]

By the way, Yahoo got XSSed too! (again)
[blog.timecapsule.yahoo.com]
[yodel.yahoo.com]
[blog.messenger.yahoo.com]

WhiteAcid Wrote:
-------------------------------------------------------
> so 1636757329 works but not just 1? lol.
> Anyway.... Does that exploit actually work for
> you? doesn't for me.

I'm guessing because 1636757329 is more unique than 1 or because it's some sort of id number.



Edited 1 time(s). Last edit at 03/13/2007 01:43PM by hasse.

It works even with 1 :)
1636757329 is just a random number. We are using random numbers for every test.
That's because of stored XSS-es.

Yes, a lot of people are using PHP_SELF and company. That's pretty bad.

BTW, anybody knows why in the Apache + PHP combination it's the same thing to write
http ://www.somesite.com/somedir/script.php
as
http ://www.somesite.com/somedir/script
or even as
http ://www.somesite.com/somedir/script/

And you could have
http ://www.somesite.com/somedir/script.php?id=1
as
http ://www.somesite.com/somedir/script?id=1

You don't need to specify the .php extension
No mod_rewrite is involved here.
It's pretty annoying to me.

Example
[sla.ckers.org]
[sla.ckers.org]
[sla.ckers.org]
[sla.ckers.org]

In the last case the CSS will not be loaded because of directory change.



Edited 3 time(s). Last edit at 03/13/2007 02:41PM by blad3.

@blad3: That's the MultiViews option, I always switch it off - right next after the Indexes option.

Thanks trev, I didn't knew that :)

Damn Wordpress! The Acunetix vector worked on my blog too - although I thought I filtered everything with the purifier. Jeez - action=" $_SERVER['PHP_SELF'] " - surprising that this hole hasn't been found before!

I hacked my self!
[mario.heideri.ch]
#FIXED#

Thanx, jungsonn for the hint!

Greetings,
.mario

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 2 time(s). Last edit at 03/13/2007 06:13PM by .mario.

I was talking to Ryan as security@wordpress.org and initially neither of us could repro the bug.
After realising that Jungsonn used a Dutch version of WP (from nl.wordpress.net) Ryan pointed out the latest version on that site is 2.0.7 which "does a bare echo of PHP_SELF".

That should be why neither of us could repro the bug anywhere. If any of you can get the bug to appear in the 2.1.2 version, then please let us know.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

So they don't synchronize to the latest??? bad, bad... :)

It all depends on the theme - all the vulnerable files (searchform.php, sidebar.php) were theme-specific. sad enough that wordpress and other open source software products have those "active-templates"... It just means that an attacker could craft a beautiful looking theme, add some hidden majick and spread it in the community - no big thing via digg, delicious, dzone and whatevr portal out there...

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

mario, you don't need PHP for that - even if the themes were pure HTML one could include some JavaScript code that opens an XSS vulnerability. So the rule is as always: be careful with what you install.

@trev: You are right - but what i meant is that if an application is skinnable you should take care of what the skin is capable of or what not.

WhiteAcid Wrote:
-------------------------------------------------------
> I was talking to Ryan as security@wordpress.org
> and initially neither of us could repro the bug.

It is posible to reproduce the bug in all versions of wordpress, I've also made an exploit the last week (if the logged user has permissions to write files, then someone can easyly override files and execute arbitrary PHP code)

Don't ask why I didn't reported this issue before ;)