30.09.2008, 18:43
|
|
Постоянный
Регистрация: 23.09.2007
Сообщений: 416
Провел на форуме:
1781065
Репутация:
869
|
|
WordPress MU < 2.6 wpmu-blogs.php Crose SiteScrpting vulnerability
WordPress MU 2.6 wpmu-blogs.php Crose SiteScrpting vulnerability
Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Url: http://mu.wordpress.org
Affected by: Coss Site Scripting Attack
I. Introduction.
Wordpress-MU, or multi-user, allows to run unlimited blogs with a
single install of wordpress. It's widely used, some examples are
WordPress.com or universities like Harvard
II. Description and Impact
Wordpress-MU is affected by a Cross Site Scripting vulnerability, an
attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privileges
In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized
Here is a poc:
Код:
http://site/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=XSS
Код:
http://site/path/wp-admin/wpmu-blogs.php?action=blogs&s=XSS
The impact is the attacker can gain administrator privileges on the
application.
III. Timeline
May 14th, 2008 - Bug discovered
May 14th, 2008 - Vendor contacted and the start of a syncronized
code patching
May 16th, 2008 - MU trunk code fixed
July 28th, 2008 - WPMU 2.6 released
September 2nd, 2008 - WPMU 2.6.1 released
September 29th, 2008 - Security advisory released
IV. Solution
Upgrade to version 2.6 or upper of wordpress multi-user. It can be
downloaded from http://mu.wordpress.org
V. Credits
Juan Galiana Lara
|
|
|