[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MajorSecurity SA-080]WordPress 3.0.1 - Cross Site Scripting Issue

Hello Bugtraq!

Regarding this XSS in WordPress 3.0.1 (http://www.securityfocus.com/archive/1/513101/30/30/threaded) I'll note about what I already wrote at my site last week. And already wrote to David. That for the attack it's needed to know token (_wpnonce), which designed to protect against CSRF attacks (which exists in WP 2.9.2 and previous versions and must be in next versions), so practically it'll be hard to use this XSS.

Note, that versions WordPress 2.0.x aren't vulnerable, because they have not such functionality. But, as I checked, vulnerable are versions 2.7 - 2.9.2 (similarly as in case of versions 3.0 and 3.0.1). Also vulnerable is WP 2.6.2, but it's needed to make attack differently in it (completely different request), at that only POST request is possible (at that in WP 2.7 and higher as GET, as POST requests are possible). In WP 2.6.x this functionality is implemented differently.

Also I'll note, that researcher stated, that attack is going via parameter checked[0] in script wp-admin/plugins.php, when parameter action equal delete-selected. As I checked, XSS code can be set as in checked[0], as in checked[1] and so on, and also in checked[]. Besides in WP 2.8 - 2.9.2 (and possibly in 3.0 and 3.0.1) it's possible to set as action equal delete-selected, as action2 equal delete-selected, and in versions 2.7.х it's possible to use only action.

Best wishes & regards,
Administrator of Websecurity web site