WordPress Akismet Vulnerabilities | BOT24

WordPress Akismet Vulnerabilities


In June we disclosed vulnerabilities in WordPress, which I'd present for 
you. They take place in plugin Akismet for WordPress and it's core-plugin 
(since version WP 2.0), so these vulnerabilities concern WordPress itself. 
This is the first in series of advisories concerning vulnerabilities in 
Akismet.

These are Cross-Site Scripting, Redirector and Full path disclosure 
vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Akismet 2.5.6 and previous versions and WordPress 2.0 - 
3.4.1. Akismet 2.5.6 is bundled with the last versions 3.4 and 3.4.1 of 
WordPress.

----------
Details:
----------

XSS (WASC-08):

At GET request to script 
http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on 
version, in WP 3.x the last address is used).

With setting of Referer header. This can be done via Flash or other methods. 
Last year I've wrote the article XSS attacks via User-Agent header 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-June/007909.html) 
and almost all of these methods can be used for Referer header.

Referer: 
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

At IIS web servers the redirect is going via Refresh header, and at other 
web servers - via Location header.

Redirector (URL Redirector Abuse) (WASC-38):

At GET request to script 
http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/admin.php?action=akismet_recheck_queue (depending on 
version, in WP 3.x the last address is used).

With setting of Referer header. This can be done via Flash or other methods.

Referer: http://attackers_site

In WP <= 2.0.11 (Akismet <= 2.0.2) via error in the plugin the XSS and 
Redirector attacks don't work, but they do work with newer versions of the 
plugin in different versions of WordPress (before 3.4).

At that in the last version Akismet 2.5.6 (which bundled with WP 3.4 and 
3.4.1) these two vulnerabilities are fixed already (at that hiddenly, 
without any mentioning in readme.txt of the plugin or in announcements of 
WP). It looks like it has happened after my March or April advisory about 
XSS and Redirector vulnerabilities via redirectors in WP.

Full path disclosure (WASC-13):

Via above-mentioned error in the plugin the XSS and Redirector attacks don't 
work, but has place FPD at request to script (in old versions of Akismet, 
such as 2.0.2).

http://site/wp-admin/edit.php?page=akismet-admin&recheckqueue=1 or 
http://site/wp-admin/edit-comments.php?page=akismet-admin&recheckqueue=1 
(depending on version of WP).

Full path disclosure (WASC-13):

If previous FPD has place in the account, then these FPD don't require 
authorization.

http://site/wp-content/plugins/akismet/admin.php

http://site/wp-content/plugins/akismet/akismet.php

http://site/wp-content/plugins/akismet/legacy.php

http://site/wp-content/plugins/akismet/widget.php

------------
Timeline:
------------

2012.02.23 - found vulnerabilities in Akismet 2.5.3. Later tested in other 
versions of the plugin from different versions of WordPress.
2012.06.29 - disclosed at my site (http://websecurity.com.ua/5933/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

Disclaimer: The content provided herein is believed to be accurate at the time of publishing based on 
currently available information. Use of the information constitutes acceptance for use in an “AS IS” 
condition.In addition one should always verify any vulnerability with the specific vendor talked about in 
any of the vulnerabilities/advisories described in these writings. There are no warranties with regard 
to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, this information

Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment