Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
WordPress Multiple Vulnerabilities
Vendor: WordPress
Product: WordPress
Version: <= 1.5.1.2
Website: http://www.wordpress.org/
CVE: CVE-2005-2107 CVE-2005-2108 CVE-2005-2109 CVE-2005-2110
OSVDB: 17636 17637 17638 17639 17640 17641 17642
SECUNIA: 15831
PACKETSTORM: 38369 38370
Description:
WordPress is a very popular personal publishing platform aka blog software, and is used by everyone from celebrities, to government officials, to non technical average joe's. There are a number of vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system. These vulnerabilities include SQL Injection, Cross Site Scripting, and also issues that may aid an attacker in social engineering. An updated version of WordPress is available and users are strongly advised to.


Cross Site Scripting:
There are a number of cross site scripting issues in the WordPress personal publishing platform.

http://wordpress/wp-admin/post.php?action=confirmdeletecomment&p=1&
comment=22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/script%3E

http://wordpress/wp-admin/post.php?action=confirmdeletecomment&p=1
22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/script%3E&comment=2

Even though these vulnerabilities are in the admin section I still consider them a higher risk than "normal" because if an attacker has an admin's cookie data then he can forge a cookie, access the admin section, and execute arbitrary code by inserting malicious php into an existing plugin. Also, if you are thinking that the referrer check in wordpress prevents this particular vulnerability then you are mistaken.


SQL Injection:
WordPress comes with it's own built in XMLRPC server server, and this XMLRPC server is enabled by default. The problem here though is that a big part of WordPress preventative security measure comes from this.

if ( !get_magic_quotes_gpc() ) {
	$_GET    = add_magic_quotes($_GET   );
	$_POST   = add_magic_quotes($_POST  );
	$_COOKIE = add_magic_quotes($_COOKIE);
	$_SERVER = add_magic_quotes($_SERVER);
}

This code resides in the file wp-settings.php and prevents a number of what would be SQL Injection attacks otherwise. However, the problem with this bit of code and the XMLRPC server is that the XMLRPC server recieves it's data from the $HTTP_RAW_POST_DATA variable, and this data is not sanatized by magic_quotes_gpc() or the previously mentioned code. So, that leaves nearly every method that the XMLRPC server uses vulnerable to attack. The following XML file could be used to gain an admin hash.

<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
	<params>
		<param><value><string>
		foobar' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 FROM wp_users 
		WHERE (user_login='admin' AND MID(user_pass,1,1)='2')/*
		</string></value></param>
		<param><value><string>http://host/?p=1#1</string></value>
		</param><param><value><string>admin</string></value></param>
	</params>
</methodCall>

The above XML file would return the message "The pingback has already been registered" if the user admin had a password hash that starts with the number two, otherwise we get an error. This vulnerability is VERY dangerous because once an an attacker has admin access they can execute arbitrary php code by placing it within an existing plugin, and the ONLY thing an attacker needs to access the admin section is the user login name, and the password hash (it does not need to be decrypted) to place in a cookie. Also, we can likely abuse one of the login function calls within the XMLRPC server to get the same results without needing a version of MySQL that supports the UNION functionality.


Forgotten Password Security Issues:
I am going to make a long story short here, and get to the point. If register globals is on then an attacker may take advantage of an uninitialized variable in wp-login.php and change the content of an email sent to the user by WordPress. The problem occurs because the variable $message is never initialized before being used, so if an attacker abuses this then the normal forgotton password email message will simply be appended to the attackers message content.


Full Path Disclosure:
There are a number of these issues in wordpress. Below are a few examples.

http://wordpress/wp-admin/menu-header.php
http://wordpress/wp-atom.php?feed=1
http://wordpress/wp-rss.php?feed=1
http://wordpress/wp-rss2.php?feed=1

These issues can aide an attacker in further attacks on the affected system by disclosing the full physical path on the affected server.


Solution:
A new version of WordPress has been released, and users should upgrade as soon as possible. The non vulnerable version is 1.5.1.3


Credits:
James Bercegay of the GulfTech Security Research Team