Wordpress 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192220 漏洞类型 跨站脚本
发布时间 2007-01-08 更新时间 2007-01-15
CVE编号 CVE-2007-0106 CNNVD-ID CNNVD-200701-053
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007010030
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-053
|漏洞详情
WordPress2.0.6之前的版本中的跨站请求伪造保护方案存在跨站脚本攻击漏洞。远程攻击者可以借助一个带有URL变量名中的一个无效的标识符和引号符或HTML标签的跨站请求伪造攻击,来注入任意的web脚本或HTML。当WordPress生成一个新的链接来验证该请求时,该漏洞未能得到正确的处理。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: WordPress CSRF Protection XSS Vulnerability
 Release Date: 2007/01/05
Last Modified: 2007/01/05
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: WordPress <= 2.0.5
     Severity: The CSRF protection of WordPress's administration
               interface is vulnerable to an XSS vulnerability
               which might result in a compromise of the admin
               account and the execution of arbitrary PHP code
               on the server
         Risk: Critical
Vendor Status: Vendor has released WordPress 2.0.6 which fixes this issue
   References: http://www.hardened-php.net/advisory_012007.140.html

Overview:

Quote from http://www.wordpress.org
   "WordPress was born out of a desire for an elegant, well-
    architectured personal publishing system built on PHP and MySQL 
    and licensed under the GPL. It is the official successor of 
    b2/cafelog. WordPress is fresh software, but its roots and 
    development go back to 2001. It is a mature and stable product. 
    We hope by focusing on user experience and web standards we can 
    create a tool different from anything else out there."

While testing WordPress it was discovered that there is a XSS
   vulnerability in the CSRF protection of WordPress's administration
   interface. This might result in a compromise of the admin account
   and might result in the execution of arbitrary PHP code.

Details:

The administration interface within WordPress comes with a token
   based CSRF protection. When a request is received with an invalid
   token it is not discarded like in many similar applications, but
   a warning screen is returned that asks the admin to verify the
   action by clicking on a link (that contains a valid token).
   
   Unfortunately there was a bug in the way the request information
   (URL variables) was put into the new link. Due to this fault it
   was possible to break out of the HTML string context by embedding
   quotes and HTML tags into the names of URL variables. 
   
   Due to this is is possible to launch XSS attacks against admin
   users currently logged into their WordPress and perform all possible
   administrative actions (or simply steal the login cookie). 
   Depending on the file permissions on the server (for example a 
   writeable wp-config.php or template file) this can also be 
   exploited to execute arbitrary PHP code.

Proof of Concept:

The Hardened-PHP Project is not going to release a proof of concept 
   exploit for this vulnerability.

Disclosure Timeline:

14. November 2006  - Notified security (at) wordpress (dot) org [email concealed]
   05. January 2007   - WordPress 2.0.6 release
   05. January 2007   - Public Disclosure

Recommendation:

We strongly recommend to upgrade to WordPress 2.0.6 which also
   fixes several other security vulnerabilities not covered by this
   advisory.
   
   http://wordpress.org/download/

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2007 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFnnflRDkUzAqGSqERAj0FAJ90O0DfF6ETzPOepDmSmERA34OoqwCeIgSP
hGSWX194r0vFm40tMaUc4bQ=
=R3/p
-----END PGP SIGNATURE-----
|参考资料

来源:BID
名称:21893
链接:http://www.securityfocus.com/bid/21893
来源:wordpress.org
链接:http://wordpress.org/development/2007/01/wordpress-206/
来源:BUGTRAQ
名称:20070105Advisory01/2007:WordPressCSRFProtectionXSSVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/456048/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory_012007.140.html
来源:VUPEN
名称:ADV-2007-0061
链接:http://www.frsirt.com/english/advisories/2007/0061
来源:SECUNIA
名称:23595
链接:http://secunia.com/advisories/23595
来源:OSVDB
名称:33397
链接:http://osvdb.org/33397
来源:SREASON
名称:2114
链接:http://securityreason.com/securityalert/2114