WordPress 远程攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189921 漏洞类型 未知
发布时间 2007-07-09 更新时间 2007-07-09
CVE编号 CVE-2007-3639 CNNVD-ID CNNVD-200707-135
漏洞平台 N/A CVSS评分 4.0
|漏洞来源
https://www.securityfocus.com/bid/85597
https://cxsecurity.com/issue/WLB-2007070024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-135
|漏洞详情
WordPress2.2.2版本之前的版本允许远程攻击者可以借助(1)对wp-pass.php的_wp_http_referer参数,且它与wp-includes/functions.php中的wp_get_referer函数相关;以及可能的其它向量,这些向量与(2)wp-includes/pluggable.php和(3)wp-includes/functions.php中的wp_nonce_ays函数相关,重定向访问者至其它的站点并可能获得敏感信息。
|漏洞EXP
The vulnerability found could allow an attacker to redirect victims to
an arbitrary 3rd party site.  This site could be a phishing site or
contain malware allowing the attacker to steal account credentials or
compromise hosts.  This vulnerability can be found in Wordpress 2.2,
however it is likely that it exists in previous versions as well.

Additional vulnerabilities may exist in the following areas due to the
use of the problematic code:

wp-includes/pluggable.php (lines 282 to 292)
wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313)

Description:

The wp-pass.php page can be used to redirect users to arbitrary third
party sites. An attacker may use this vulnerability to redirect users to
a phishing or malware site.

Relevant Code:

wp-pass.php (line 10)

wp_redirect(wp_get_referer());

wp-includes/functions.php (line 1040 to 1045)

function wp_get_referer() {
            foreach ( array($_REQUEST['_wp_http_referer'],
$_SERVER['HTTP_REFERER']) as $ref )
                        if ( !empty($ref) )
                                    return $ref;
            return false;
}

Exploit:

http://<WordpressSiteAddressHere>/wp-pass.php?_wp_http_referer=http://ww

w.EvilPhishingOrMalwareSite.com

Since the function uses the $_REQUEST variable, this attack could also
be executed using a cookie or post parameter named "_wp_http_referer"

If this were a real attack, A link would be sent to users in an E-mail,
IM, or other delivery message to trick users into visiting the link.

Versions Affected:

This vulnerability is likely present in several previous versions of
Wordpress, however it was tested and verified in version 2.2.1

Vendor Response:

The Wordpress team is currently working on addressing this issue and
others in the 2.2.2 release of its blogging software.

Disclosure Timeline:

2007-06-21 Discovery by Nick Coblentz of Security PS
(http://www.securityps.com)
2007-06-22 Vendor notification
2007-07-02 2nd Vendor notification
2007-07-05 Vendor response

Remediation:

Wordpress 2.2.2 will address this issue as well as others.

Credit:

This vulnerability was discovered by Nicholas Coblentz, a security
consultant a Security PS (http://www.securityps.com).The vulnerability
found could allow an attacker to redirect victims to an arbitrary 3rd
party site.  This site could be a phishing site or contain malware
allowing the attacker to steal account credentials or compromise hosts.
This vulnerability can be found in Wordpress 2.2, however it is likely
that it exists in previous versions as well.

Additional vulnerabilities may exist in the following areas due to the
use of the problematic code:

wp-includes/pluggable.php (lines 282 to 292)
wp-includes/functions.php, wp_nonce_ays function (lines 1287 to 1313)

Description:

The wp-pass.php page can be used to redirect users to arbitrary third
party sites. An attacker may use this vulnerability to redirect users to
a phishing or malware site.

Relevant Code:

wp-pass.php (line 10)

wp_redirect(wp_get_referer());

wp-includes/functions.php (line 1040 to 1045)

function wp_get_referer() {
            foreach ( array($_REQUEST['_wp_http_referer'],
$_SERVER['HTTP_REFERER']) as $ref )
                        if ( !empty($ref) )
                                    return $ref;
            return false;
}

Exploit:

http://<WordpressSiteAddressHere>/wp-pass.php?_wp_http_referer=http://ww

w.EvilPhishingOrMalwareSite.com

Since the function uses the $_REQUEST variable, this attack could also
be executed using a cookie or post parameter named "_wp_http_referer"

If this were a real attack, A link would be sent to users in an E-mail,
IM, or other delivery message to trick users into visiting the link.

Versions Affected:

This vulnerability is likely present in several previous versions of
Wordpress, however it was tested and verified in version 2.2.1

Vendor Response:

The Wordpress team is currently working on addressing this issue and
others in the 2.2.2 release of its blogging software.

Disclosure Timeline:

2007-06-21 Discovery by Nick Coblentz of Security PS
(http://www.securityps.com)
2007-06-22 Vendor notification
2007-07-02 2nd Vendor notification
2007-07-05 Vendor response

Remediation:

Wordpress 2.2.2 will address this issue as well as others.

Credit:

This vulnerability was discovered by Nicholas Coblentz, a security
consultant a Security PS (http://www.securityps.com).
|受影响的产品
WordPress WordPress 2.2.1
|参考资料

来源:XF
名称:wordpress-wppass-security-bypass(35272)
链接:http://xforce.iss.net/xforce/xfdb/35272
来源:BUGTRAQ
名称:20070705RedirectionVulnerabilityinwp-pass.php,WordPress2.2.1
链接:http://www.securityfocus.com/archive/1/archive/1/472885/100/0/threaded
来源:OSVDB
名称:40802
链接:http://osvdb.org/40802
来源:DEBIAN
名称:DSA-1564
链接:http://www.debian.org/security/2008/dsa-1564
来源:SREASON
名称:2869
链接:http://securityreason.com/securityalert/2869
来源:SECUNIA
名称:30013
链接:http://secunia.com/advisories/30013