XSS vulnerabilities fixed in Wordpress 2.0.3

June 2nd, 2006 at 09:32 UTC by Steven J. Murdoch

Users are strongly urged to upgrade their version of Wordpress to 2.0.3 (as you will see that we have already!) This release fixes two XSS vulnerabilities that I reported to Wordpress on 14 Apr 2006 and 4 May 2006, although they are not mentioned in the release announcement. These are exploitable in the default installation and can readily lead to arbitrary PHP code execution.

I think there a number of interesting lessons to learn from these vulnerabilities, so I plan to post more details in 10 days time (thereby giving users a chance to upgrade). The nature of the problem can probably be deduced from the code changes, so there is limited value in waiting much longer.

I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by Wordpress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading Wordpress is still recommended.

Entry filed under: Meta, Security engineering

3 comments Add your own

  • 1. .$author.  |  June 12th, 2006 at 22:48 UTC

    [...] As a side note, I was talking with quadzilla from SEO Blackhat (who, btw, is running a SEO blackjact tournament for anyone who is interested) and he gave me another idea regarding XSS detection that I have been thinking about for quite a while. One of the major problems on the internet today is the fact that a ton of websites are running canned software with bugs in it (drupal, PHP-Nuke, Wordpress ,etc…). If you subscribe to some of the webappsec mailing lists you probably can see the sheer volume of new XSS exploits being discovered on a daily basis. It’s fairly trivial to use Google to detect which websites are running the software in particular (by searching by keywords used by that software), and then use the returned lists of sites to launch automated XSS attacks, to improve pagerank. Pretty scary, and pretty easy. [...]

  • 2. .$author.  |  June 13th, 2006 at 08:27 UTC

    [...] Last week I promised to follow up on a few XSS bugs that I found in Wordpress. The vulnerabilities are fixed in Wordpress 2.0.3, even though the release notes do not mention their existence. I think there are a number of useful lessons that can be drawn from them, so in this post I will describe some more details. [...]

  • 3. .$author.  |  June 22nd, 2006 at 13:07 UTC

    [...] This post describes the second of two vulnerabilities I found in Wordpress. The first, a XSS vulnerability, was described last week. While the vulnerability discussed here is applicable in fewer cases than the previous one, it is an example of a comparatively rare class, oracle attacks, so I think merits further exposition. [...]

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


June 2006
« May   Jul »