From de308024915a3897d92451c50f469f008ee78dcd Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 8 Aug 2013 13:48:13 +0200 Subject: [PATCH 1/6] Better-WP-Security v3.4.3 XSS vuln title & fixed_in tag --- data/plugin_vulns.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 1d7ec8ef..8538cbb7 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -1529,9 +1529,10 @@ 3.5.4 - Better WP Security v3.4.3 + Better WP Security v3.4.3 Multiple XSS http://seclists.org/bugtraq/2012/Oct/9 XSS + 3.4.4 Better WP Security <= 3.2.4 Cross Site Scripting From 2a9bd99f97221b845d5484e321c4743e83be7e1e Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Fri, 9 Aug 2013 12:54:10 +0200 Subject: [PATCH 2/6] Fix for xmlrpc false positive. Issue #260. --- lib/wpscan/web_site.rb | 25 ++------ lib/wpscan/wp_target.rb | 3 +- spec/lib/wpscan/web_site_spec.rb | 99 ++------------------------------ 3 files changed, 10 insertions(+), 117 deletions(-) diff --git a/lib/wpscan/web_site.rb b/lib/wpscan/web_site.rb index 7f7b2504..e0b0cb1b 100644 --- a/lib/wpscan/web_site.rb +++ b/lib/wpscan/web_site.rb @@ -26,36 +26,19 @@ class WebSite end def has_xml_rpc? - !xml_rpc_url.nil? + response = Browser.get_and_follow_location(xml_rpc_url) + response.body =~ %r{XML-RPC server accepts POST requests only}i end # See http://www.hixie.ch/specs/pingback/pingback-1.0#TOC2.3 def xml_rpc_url unless @xmlrpc_url - @xmlrpc_url = xml_rpc_url_from_headers() || xml_rpc_url_from_body() + @xmlrpc_url = @uri.merge('xmlrpc.php').to_s end + @xmlrpc_url end - def xml_rpc_url_from_headers - headers = Browser.get(@uri.to_s).headers_hash - xmlrpc_url = nil - - unless headers.nil? - pingback_url = headers['X-Pingback'] - unless pingback_url.nil? || pingback_url.empty? - xmlrpc_url = pingback_url - end - end - xmlrpc_url - end - - def xml_rpc_url_from_body - body = Browser.get(@uri.to_s).body - - body[%r{}, 1] - end - # See if the remote url returns 30x redirect # This method is recursive # Return a string with the redirection or nil diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb index 750d3927..4c530c3a 100644 --- a/lib/wpscan/wp_target.rb +++ b/lib/wpscan/wp_target.rb @@ -43,9 +43,8 @@ class WpTarget < WebSite if response.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i wordpress = true else - response = Browser.get_and_follow_location(xml_rpc_url) - if response.body =~ %r{XML-RPC server accepts POST requests only}i + if has_xml_rpc? wordpress = true else response = Browser.get_and_follow_location(login_url) diff --git a/spec/lib/wpscan/web_site_spec.rb b/spec/lib/wpscan/web_site_spec.rb index e90ee87e..a3585b36 100644 --- a/spec/lib/wpscan/web_site_spec.rb +++ b/spec/lib/wpscan/web_site_spec.rb @@ -63,111 +63,22 @@ describe 'WebSite' do end end - describe '#xml_rpc_url_from_headers' do - context 'when the x-pingback is' do - - context 'correctly supplied' do - it 'returns the url in the header : http://example.localhost/xmlrpc.php' do - xmlrpc = 'http://example.localhost/xmlrpc.php' - stub_request(:get, web_site.url). - to_return(status: 200, headers: { 'X-Pingback' => xmlrpc }) - - web_site.xml_rpc_url_from_headers.should === xmlrpc - end - end - - context 'not supplied' do - it 'returns nil' do - stub_request(:get, web_site.url).to_return(status: 200) - web_site.xml_rpc_url_from_headers.should be_nil - end - - context 'but there is another header field' do - it 'returns nil' do - stub_request(:get, web_site.url). - to_return(status:200, headers: { 'another-field' => 'which we do not care' }) - - web_site.xml_rpc_url_from_headers.should be_nil - end - end - end - - context 'empty' do - it 'returns nil' do - stub_request(:get, web_site.url). - to_return(status: 200, headers: { 'X-Pingback' => '' }) - - web_site.xml_rpc_url_from_headers.should be_nil - end - end - - end - end - - describe '#xml_rpc_url_from_body' do - context 'when the pattern does not match' do - it 'returns nil' do - stub_request_to_fixture(url: web_site.url, fixture: fixtures_dir + '/xml_rpc_url/body_dont_match.html') - - web_site.xml_rpc_url_from_body.should be_nil - end - end - - context 'when the pattern match' do - it 'return the url' do - stub_request_to_fixture(url: web_site.url, fixture: fixtures_dir + '/xml_rpc_url/body_match.html') - - web_site.xml_rpc_url_from_body.should == 'http://lamp/wordpress-3.5.1/xmlrpc.php' - end - end - end - describe '#xml_rpc_url' do - after :each do - web_site.xml_rpc_url.should === xmlrpc_url - end - - context 'when found in the headers' do - let(:xmlrpc_url) { 'http://from-headers.localhost/xmlrpc.php' } - - it 'returns the url' do - web_site.stub(xml_rpc_url_from_headers: xmlrpc_url) - end - end - - context 'when found in the body' do - let(:xmlrpc_url) { 'http://from-body.localhost/xmlrpc.php' } - - it 'returns the url' do - web_site.stub( - xml_rpc_url_from_headers: nil, - xml_rpc_url_from_body: xmlrpc_url - ) - end - end - - context 'when not found' do - let(:xmlrpc_url) { nil } - - it 'returns nil' do - web_site.stub( - xml_rpc_url_from_headers: nil, - xml_rpc_url_from_body: nil - ) - end + it 'returns the xmlrpc url' do + web_site.xml_rpc_url.should === "http://example.localhost/xmlrpc.php" end end describe '#has_xml_rpc?' do it 'returns true' do - stub_request(:get, web_site.url). - to_return(status: 200, headers: { 'X-Pingback' => 'xmlrpc' }) + stub_request(:get, web_site.xml_rpc_url). + to_return(status: 200, body: "XML-RPC server accepts POST requests only") web_site.should have_xml_rpc end it 'returns false' do - stub_request(:get, web_site.url).to_return(status: 200) + stub_request(:get, web_site.xml_rpc_url).to_return(status: 200) web_site.should_not have_xml_rpc end end From 3870fc0b2c1d942ded301b09dea53e80191e684d Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Fri, 9 Aug 2013 13:04:50 +0200 Subject: [PATCH 3/6] Typo fix. Also Travis-CI test... --- lib/wpscan/web_site.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/wpscan/web_site.rb b/lib/wpscan/web_site.rb index e0b0cb1b..13e815ce 100644 --- a/lib/wpscan/web_site.rb +++ b/lib/wpscan/web_site.rb @@ -88,7 +88,7 @@ class WebSite end # Will try to find the rss url in the homepage - # Only the first one found iw returned + # Only the first one found is returned def rss_url homepage_body = Browser.get(@uri.to_s).body homepage_body[%r{}, 1] From 7951e442a8e34b82e38a1472a61e3b0a0004edc6 Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Fri, 9 Aug 2013 13:26:39 +0200 Subject: [PATCH 4/6] Attempted Travis-CI fix. --- spec/lib/common/models/wp_version/findable_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/lib/common/models/wp_version/findable_spec.rb b/spec/lib/common/models/wp_version/findable_spec.rb index 35395f76..73c2927f 100644 --- a/spec/lib/common/models/wp_version/findable_spec.rb +++ b/spec/lib/common/models/wp_version/findable_spec.rb @@ -167,6 +167,8 @@ describe 'WpVersion::Findable' do let(:version_xml) {} after do + stub_request(:get, uri.to_s).to_return(status: 0) + version = WpVersion.find(uri, wp_content_dir, wp_plugins_dir, version_xml) version.should == @expected if @expected From fa0e4658cb46111e891809619fc97598ed08e791 Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Fri, 9 Aug 2013 13:33:52 +0200 Subject: [PATCH 5/6] Another Travis-CI attempt to fix --- spec/lib/common/models/wp_version/findable_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/lib/common/models/wp_version/findable_spec.rb b/spec/lib/common/models/wp_version/findable_spec.rb index 73c2927f..d73e6d39 100644 --- a/spec/lib/common/models/wp_version/findable_spec.rb +++ b/spec/lib/common/models/wp_version/findable_spec.rb @@ -167,8 +167,8 @@ describe 'WpVersion::Findable' do let(:version_xml) {} after do - stub_request(:get, uri.to_s).to_return(status: 0) - + stub_request(:get, uri.to_s+'*').to_return(status: 0) + version = WpVersion.find(uri, wp_content_dir, wp_plugins_dir, version_xml) version.should == @expected if @expected From 678184e24b390c497baf3f61ed02588f5569abf9 Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Fri, 9 Aug 2013 13:45:35 +0200 Subject: [PATCH 6/6] Another Travis-CI possible fix... --- spec/lib/common/models/wp_version/findable_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/lib/common/models/wp_version/findable_spec.rb b/spec/lib/common/models/wp_version/findable_spec.rb index d73e6d39..994ff744 100644 --- a/spec/lib/common/models/wp_version/findable_spec.rb +++ b/spec/lib/common/models/wp_version/findable_spec.rb @@ -167,7 +167,7 @@ describe 'WpVersion::Findable' do let(:version_xml) {} after do - stub_request(:get, uri.to_s+'*').to_return(status: 0) + stub_request(:get, /#{uri.to_s}.*/).to_return(status: 0) version = WpVersion.find(uri, wp_content_dir, wp_plugins_dir, version_xml) version.should == @expected