-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 URL: http://wordpress.org/ Version: Wordpress 1.2.1 Risk: XSS * Description WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. [...] Visit http://wordpress.org/ for detailed information. * Summary After a quick reread of the wordpress source code I was very disappointed about the improvements in the new version 1.2.1 of wordpress. The developers did not fix all flaws I mentioned in my last advisory [1] and they did not improve the code of the files in the administration panel. There were still a lot of XSS vulnerabilities. So I contaced the main developer again on October 28th and posted the notice about several security flaws in their support forum to be sure the message reaches the developers. On December 15th - yesterday - they released a fixed version. * Cross Site Scripting and similar flaws The version 1.2.1 of wordpress was *more* vulnerable than the 1.2 release cause of this new "feature" in `wp-login.php'. > // If someone has moved WordPress let's try to detect it > if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) > != get_settings('siteurl') ) > update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] . > $_SERVER['REQUEST_URI']) ); With an URI like ... /wp-login.php?="><script>alert(document.cookie)</script></script> ... an attacker was able to store arbitrary values in the global siteurl setting. Another issue was that an administrator or privileged user was able to post messages, add new categories, change profile values etc. with HTML code in it. Still vulnerable in WP-1.2.1: /wp-login.php?redirect_to=[XSS] /wp-admin/bookmarklet.php?popupurl=[XSS] /wp-admin/bookmarklet.php?content=[XSS] XSS vulns they did not fix: /wp-admin/edit-comments.php?s=[XSS] /wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS] /wp-admin/templates.php?file=[XSS] /wp-admin/link-add.php?linkurl=[XSS] /wp-admin/link-add.php?name=[XSS] /wp-admin/link-categories.php?cat_id=[XSS]&action=Edit /wp-admin/link-manager.php?order_by=[XSS] /wp-admin/link-manager.php?cat_id=[XSS] /wp-admin/link-manager.php?action=linkedit&link_url=[XSS] /wp-admin/link-manager.php?action=linkedit&link_name=[XSS] /wp-admin/link-manager.php?action=linkedit&link_description=[XSS] /wp-admin/link-manager.php?action=linkedit&link_rel=[XSS] /wp-admin/link-manager.php?action=linkedit&link_image=[XSS] /wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS] /wp-admin/link-manager.php?action=linkedit&link_notes=[XSS] /wp-admin/link-manager.php?action=linkedit&link_id=[XSS] /wp-admin/link-manager.php?action=linkedit&order_by=[XSS] /wp-admin/link-manager.php?action=linkedit&cat_id=[XSS] /wp-admin/post.php?content=[XSS] /wp-admin/moderation.php?action=update&item_approved=[XSS] SQL errors: /index.php?m=bla /wp-admin/edit.php?m=bla /wp-admin/link-categories.php?cat_id=bla&action=Edit * Solution Upgrade to Worpress 1.2.2 [2] * Credits Thomas Waldegger [1] http://www.securityfocus.com/archive/1/376766 [2] http://wordpress.org/development/2004/12/one-point-two-two/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFD9YCYkCo6/ctnOpYRA+hjAJ9RFrEuKfnkxKtCkUns08A6clm0xACcCJWg VkY1HiosBvsB2237bddPVAU= =0R15 -----END PGP SIGNATURE-----