garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

ethicalhack3r
2013-01-27 06:50:41 -08:00
parent c44d4ef3fd
commit 0f72e2a78b
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
WordPress-3.5-Issues.md Normal file

@@ -0,0 +1,47 @@
# WordPress 3.5
WordPress released version 3.5.1 on January 24th 2013 which fixed a number of issues [0]:
* Issue 1: "A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions."
* Issue 2: "Two instances of cross-site scripting via shortcodes and post content."
* Issue 3: "A cross-site scripting vulnerability in the external library Plupload."
## Issue 1
This issue was originally discovered by [@_FireFart_](https://twitter.com/@_FireFart_) a WPScan Team member. You can find his Pingback Port Scanner [here](https://github.com/FireFart/WordpressPingbackPortScanner). Additional [issues](http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html) were also identified with the pingback API.
## Issue 2
This issue was successfully investigated by [@erwan_lr](https://twitter.com/@erwan_lr), a WPScan Team member. 'Administrators and Editors have the unfiltered_html capability' [1] so they are permitted to insert raw JavaScript into blog posts, less privileged users should not be allowed to insert JavaScript into blog posts, however, with these PoCs it is possible.
### Instance 1
Proof of Concept: ```[gallery ids="20" icontag="script>alert(1)</script>"]```
### Instance 2
Proof of Concept: ```[embed]javascript:alert(document.cookie)[/embed]```
## Issue 3
This issue was successfully investigated by [@erwan_lr](https://twitter.com/@erwan_lr), a WPScan Team member. "[Plupload] Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads." [2]
Proof of Concept: ```wp-includes/js/plupload/plupload.flash.swf?id=\"));}catch(e){alert(1);}//```
## References and Further Reading
[0] http://wordpress.org/news/2013/01/wordpress-3-5-1/
[1] http://core.trac.wordpress.org/ticket/22861
[2] http://plupload.com/
[3] https://github.com/wpscanteam/wpscan/issues/120
[4] https://github.com/wpscanteam/wpscan/issues/119
[5] https://github.com/FireFart/WordpressPingbackPortScanner
[6] http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html