Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Blogs :: va1932.htm

WordPress XSS vulnerability in RSS Feed Generator



WordPress XSS vulnerability in RSS Feed Generator
WordPress XSS vulnerability in RSS Feed Generator




--Apple-Mail-4-236367930
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

===== noXSS.org Security Advisory =====
Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith  
Published: 2008/11/25
Affected: WordPress < 2.6.5


Summary
======
WordPress prior to v2.6.3 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.

Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.


Vulnerability Details
====================
The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the  tag in ATOM and RSS 2.0 feeds:

function self_link() {
   echo 'http'
        . ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://'
        . $_SERVER['HTTP_HOST']
        . wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1);
}

The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:

$_SERVER = add_magic_quotes($_SERVER);

In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.


PoC
===
The Apache web server only disallows '/', '\' and '..' within the host
header. The header can therefore contain markup making the following
PoC possible:

curl -H "Host: \">" \
http://www.example.org/blog/feed 

The given example request will return (without additional newlines):

-- snip --
...
href="http://\"> 

/blog/feed" rel="self" type="application/rss+xml" />
...
-- snip --

The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.


Exploit
======
The following exploit is a semi-stored XSS attack and has been tested
with the following setup:

- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4


WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.

Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.

Request:
curl -H "Host: \">" \
http://www.example.org/blog/feed 

Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html 

Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.

The only missing the step is the calculation cached file's MD5 sum.

The following code generates the MD5 checksum:

php -r 'echo md5("\">".
                   "/blog/feed"), "\n";'

In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.

This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.


Vendor Response
==============2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5



--Apple-Mail-4-236367930
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGITCCAtow
ggJDoAMCAQICEEPnebOx6L473J6YMHzznhowDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDEyOTExMzUxMFoXDTA5MDEyODExMzUx
MFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0GCSqGSIb3DQEJARYQanJA
dGVycmFnYXRlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPGK1qO1rlk4Hl5
DdURmSEUowhWYUUU0YeeGSAfKwzrnvjsyJV/FCC+fOStYuOhujHBqfJiY1t8VdatG2jAmfp4eWA9
xrBAUr/npRnFL45vON1jrHofq4GdqhCHhTSc+9nge+bemH5rvml2wF0VDWR3dQRdU53ds6FrxFCc
Mgt+6qURm16ZyBLhHT+K243DJoH6aFccbzyJ7k1eS//6cBwjZfQOlnxea1FRsjq0Fg+ttuYnqSuI
x0/Dj+e/dzuCnHpDkwUF/1WbT39ZTynRVleb0XhxEEmv9879y+rHlT6G9r7/j2I9UC1Lw1of3B/i
ItHv69/dSe6Ckjmm4N1V0KMCAwEAAaMtMCswGwYDVR0RBBQwEoEQanJAdGVycmFnYXRlLm5ldDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBABKdvbWC6uEMXOS5LvGCZd7yt0SObczroKt3
klXe5TFAEYBC29RzOu0toseqz9FIeLNHAR1dO9WhlPmLx0sYU9gFt5nm1gWAXkUYihBqVzZUTFoU
hlooG2DIZ0ken8kP53532JPbRYT+Zl9YRFEqkeqDXvQhgtecpvFM3n/R8Z+qMIIDPzCCAqigAwIB
AgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu
Y29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7
TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRA
HmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYy
aHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0P
BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG
9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8
/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQ
Gls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAwggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBD53mzsei+O9yemDB8854aMAkGBSsOAwIaBQCgggFv
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA4MTEyNTIyMjExMVow
IwYJKoZIhvcNAQkEMRYEFC0HntlozZ5Ive1UkodibM47UO31MIGFBgkrBgEEAYI3EAQxeDB2MGIx
CzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQQ+d5s7HovjvcnpgwfPOe
GjCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQQIQQ+d5s7HovjvcnpgwfPOeGjANBgkqhkiG9w0BAQEFAASCAQARxLVVYiQh9p+JzR+I
4huqYwdLEOJvb0eWoXX88NQX69fA1zmejo60a56xVwmdc64ymWu49CDGePWYncfp8jbJmOjwoQTB
IgdqNeBdezxRW73AN9qMXEc6TJF2lpsCD65xqtzRwYG+lEezX7lTRqh+MX6U6MEZSh1g0pTnsDBo
jGeFP1Sv5YzWNvrgajhdlOPmFAzk7A5E2Rrozqb+B09yfGyETeIWSzI91v/ZpLPFlUnhL2ywjFhS
m3ABlCBlM9HpiBF+pAL210zTDQiYAkCiOgsbgWjCWPqzJiXKzGDEPrsWDJ0eLlHEw1QgvTkcoXIs
/iscOSJKFn0NspaeVc47AAAAAAAA

--Apple-Mail-4-236367930--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH