483 lines
No EOL
17 KiB
Text
483 lines
No EOL
17 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
Core Security Technologies - CoreLabs Advisory
|
|
http://www.coresecurity.com/corelabs/
|
|
|
|
WordPress Privileges Unchecked in admin.php and Multiple Information
|
|
Disclosures
|
|
|
|
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: WordPress Privileges Unchecked in admin.php and Multiple
|
|
Information Disclosures
|
|
Advisory ID: CORE-2009-0515
|
|
Advisory URL:
|
|
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
|
|
Date published: 2009-07-08
|
|
Date of last update: 2009-07-08
|
|
Vendors contacted: WordPress
|
|
Release mode: Coordinated release
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Local file include, Privileges unchecked, Cross site scripting
|
|
(XSS), Information disclosure
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: No
|
|
Bugtraq ID: 35581, 35584
|
|
CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
WordPress is a web application written in PHP that allows the easy
|
|
installation of a flexible weblog on any computer connected to the
|
|
Internet. WordPress 2.7 reached more than 6 million downloads during
|
|
June 2009 [9].
|
|
|
|
A vulnerability was found in the way that WordPress handles some URL
|
|
requests. This results in unprivileged users viewing the content of
|
|
plugins configuration pages, and also in some plugins modifying plugin
|
|
options and injecting JavaScript code. Arbitrary native code may be run
|
|
by a malicious attacker if the blog administrator runs injected
|
|
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
|
|
hosted outside 'wordpress.com', allow any person to create unprivileged
|
|
users called subscribers. Other sensitive username information
|
|
disclosures were found in WordPress.
|
|
|
|
|
|
4. *Vulnerable packages*
|
|
|
|
. WordPress 2.8 and previous
|
|
. WordPress MU 2.7.1 and previous, used in WordPress.com
|
|
|
|
|
|
5. *Non-vulnerable packages*
|
|
|
|
. WordPress 2.8.1
|
|
. WordPress MU 2.8.1, used in WordPress.com
|
|
|
|
|
|
6. *Vendor Information, Solutions and Workarounds*
|
|
|
|
Mitigation for the Privileges Unchecked vulnerability (suggested by Core
|
|
Security): this vulnerability may be mitigated by controlling access to
|
|
files inside the 'wp-admin' folder. Access can be prohibited by using
|
|
Apache access control mechanism ('.htaccess' file), see guideline for
|
|
more information [11].
|
|
|
|
|
|
7. *Credits*
|
|
|
|
These vulnerabilities were discovered and researched by Fernando
|
|
Arnaboldi and José Orlicki from Core Security Technologies. Further
|
|
research was made by Jose Orlicki from Core Security Technologies.
|
|
|
|
|
|
8. *Technical Description / Proof of Concept Code*
|
|
|
|
|
|
8.1. *Introduction*
|
|
|
|
In the last few years several security bugs were found in WordPress
|
|
[1][2]. During 2008, the big amount of bugs reported by researchers lead
|
|
to exploitation by blog spammers [3]. During 2009, a new round of
|
|
attacks has appeared and security researchers are reporting new bugs or
|
|
wrongly fixed previously-reported bugs [4][5]. A path traversal in local
|
|
files included by 'admin.php' has been fixed [6][7] but, in our case, we
|
|
report that administrative privileges are still unchecked when accessing
|
|
any PHP file inside a plugin folder.
|
|
|
|
|
|
8.2. *Access Control Roles*
|
|
|
|
WordPress has a privilege model where any user has an assigned role [8].
|
|
Regarding plugins only users characterized by the role Administrator can
|
|
activate plugins. Notice that only the blog hosting owner can add new
|
|
plugins because these must by copied inside the host filesystem. The
|
|
roles Editor, Author or Subscriber (the latter has the least privileges)
|
|
cannot activate plugins, edit plugins, update plugins nor delete plugins
|
|
installed by an Administrator. Besides that, the configuration of
|
|
specific plugins is a grey area because there is no distinguished
|
|
capability assigned [8].
|
|
|
|
Also due to cross-site scripting vulnerabilities inside plugins options
|
|
(something very common), non-administrative users reconfiguring plugins
|
|
may inject persistent JavaScript code. Possibly arbitrary native code
|
|
can be executed by the attacker if the blog administrator runs injected
|
|
JavasScript code that injects PHP code. It is important to observe that
|
|
many WordPress-powered blogs are configured to allow any blog visitor to
|
|
create a Subscriber user without confirmation from the Administrator
|
|
role inside the following URL, although by default the Administrator
|
|
role must create these new users.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-login.php?action=register
|
|
- -----------/
|
|
|
|
This can be modified by the administrator in 'Membership/Anyone can
|
|
register'.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/options-general.php
|
|
- -----------/
|
|
|
|
|
|
|
|
|
|
8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes
|
|
(CVE-2009-2334, BID 35581)*
|
|
|
|
No privileges are checked on WordPress plugins configuration PHP modules
|
|
using parameter 'page' when we replace 'options-general.php' with
|
|
'admin.php'. The same thing happens when replacing other modules such as
|
|
'plugins.php' with 'admin.php'. Basic information disclosure is done
|
|
this way. For example, with the following URL a user with no privileges
|
|
can see the configuration of plugin Collapsing Archives, if installed.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt
|
|
- -----------/
|
|
|
|
Instead of the following allowed URL.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt
|
|
- -----------/
|
|
|
|
Another example of this information disclosure is shown on Akismet, a
|
|
plugin shipped by default with WordPress.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt
|
|
- -----------/
|
|
|
|
All plugins we have tested are vulnerable to this kind of information
|
|
disclosure, but in many of them the PHP files accessed just crashed. On
|
|
the other hand, for example, with capability 'import', privileges are
|
|
checked inside 'admin.php':
|
|
|
|
/-----------
|
|
|
|
if ( ! current_user_can('import') )
|
|
wp_die(__('You are not allowed to import.'));
|
|
- -----------/
|
|
|
|
More dangerous scenarios exist, all of them can be exploited by users
|
|
with the Subscriber role, the least privileged.
|
|
|
|
|
|
8.4. *Abuse example: XSS in plugin configuration module*
|
|
|
|
If installed, *Related Ways To Take Action* is an example of a WordPress
|
|
plugin that is affected by many cross-site scripting vulnerabilities
|
|
(XSS) that can be leveraged by an attacker using the unchecked
|
|
privileges described in this advisory to inject persistent JavaScript
|
|
code. Possibly, arbitrary native code can be executed by the attacker if
|
|
the blog administrator, when he/she logs in, runs injected JavasScript
|
|
code that edits blog PHP code. The original URL for reconfiguring the
|
|
plugin can be accessed only by the Administrator role.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php
|
|
- -----------/
|
|
|
|
But replacing the PHP file with the generic 'admin.php' any blog user
|
|
can modify this configuration.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php
|
|
- -----------/
|
|
|
|
The following JavaScript injection can be entered within field *Exclude
|
|
actions by term* to exemplify this kind of abuse. When the administrator
|
|
enters the same page the injected browser code will be executed and
|
|
possibly blog PHP can be modified to run arbitrary native code.
|
|
|
|
/-----------
|
|
|
|
\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="
|
|
|
|
- -----------/
|
|
|
|
This is the worst scenario that we found for the vulnerability.
|
|
|
|
|
|
8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*
|
|
|
|
If installed, the WordPress Security Scanner Plugin dashboard can be
|
|
viewed similarly by any user besides the administrator using the plugin
|
|
configuration page URL without modification. This dashboard includes
|
|
common default blog configuration settings that are insecure and should
|
|
be modified by the blog administrator or hosting.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php
|
|
- -----------/
|
|
|
|
|
|
|
|
|
|
8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*
|
|
|
|
If installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be
|
|
reconfigured accessed with the same vulnerability.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php
|
|
- -----------/
|
|
|
|
This gives an attacker the possibility to disable many features of the
|
|
plugin, for example reactivate the forgotten password feature and
|
|
reactivate the XML-RPC blog interface. Also you can deny the weblog
|
|
service by configuring this plugin to be overly sensitive, blocking any
|
|
request. However the plugin cannot be totally disabled because the
|
|
essential IDS parameters 'Maximum impact to ignore bad requests' and
|
|
'Minimum impact to sanitize bad requests' are verified on the server
|
|
side of the blog and cannot be distorted to deactivate the sanitizing or
|
|
blocking features of the web IDS plugin.
|
|
|
|
|
|
8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID
|
|
35584)*
|
|
|
|
WordPress discriminates bad password from bad user logins, this reduces
|
|
the complexity of a brute force attack on WordPress blogs login
|
|
(CVE-2009-2335, BID 35584). The same user information disclosure happens
|
|
when users use the forgotten mail interface to request a new password
|
|
(CVE-2009-2336, same BID 35584). These information disclosures seem to
|
|
be previously reported [6] but the WordPress team is refusing to modify
|
|
them alleging *user convenience*.
|
|
|
|
Default installation of WordPress 2.7.1 leaks the name of the user
|
|
posting entries inside the HTML of the blog.
|
|
|
|
/-----------
|
|
|
|
<small>June 3rd, 2009 <!-- by leakedusername --></small>
|
|
- -----------/
|
|
|
|
|
|
|
|
Also several administrative modules give to anyone the complete path
|
|
where the web application is hosted inside the server. This may simplify
|
|
or enable other malicious attacks. An example follows.
|
|
|
|
/-----------
|
|
|
|
http://[some_wordpress_blog]/wp-settings.php
|
|
- -----------/
|
|
|
|
|
|
|
|
/-----------
|
|
|
|
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
|
|
[WP_LEAKED_PATH]\wp-settings.php on line 110
|
|
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
|
|
[WP_LEAKED_PATH]\wp-settings.php on line 112
|
|
Warning: require(ABSPATHwp-includes/compat.php) [function.require]:
|
|
failed to open stream:
|
|
No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246
|
|
Fatal error: require() [function.require]: Failed opening required
|
|
'ABSPATHwp-includes/compat.php'
|
|
(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in
|
|
[WP_LEAKED_PATH]\wp-settings.php on line 246
|
|
|
|
- -----------/
|
|
|
|
|
|
|
|
|
|
9. *Report Timeline*
|
|
|
|
. 2009-06-04:
|
|
Core Security Technologies notifies the WordPress team of the
|
|
vulnerabilities (security@wordpress.org) and offers a technical
|
|
description encrypted or in plain-text. Advisory is planned for
|
|
publication on June 22th.
|
|
|
|
. 2009-06-08:
|
|
Core notifies again the WordPress team of the vulnerability.
|
|
|
|
. 2009-06-10:
|
|
The WordPress team asks Core for a technical description of the
|
|
vulnerability in plain-text.
|
|
|
|
. 2009-06-11:
|
|
Technical details sent to WordPress team by Core.
|
|
|
|
. 2009-06-11:
|
|
WordPress team notifies Core that a fix was produced and is available to
|
|
Core for testing. WordPress team asserts that password and username
|
|
discrimination as well as username leakage are known and will not be
|
|
fixed because they are convenient for the users.
|
|
|
|
. 2009-06-12:
|
|
Core tells the WordPress team that the patch will be tested by Core as a
|
|
courtesy as soon as possible. It also requests confirmation that
|
|
WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to
|
|
the flaws included in the advisory draft CORE-2009-0515.
|
|
|
|
. 2009-06-12:
|
|
WordPress team confirms that WordPress 2.8 and earlier plus
|
|
WordPress.com are vulnerable to the flaws included in the advisory draft.
|
|
|
|
. 2009-06-17:
|
|
Core informs the WordPress team that the patch is only fixing one of the
|
|
four proof of concept abuses included in the advisory draft. Core
|
|
reminds the WordPress team that the advisory is scheduled to be
|
|
published on June 22th but a new schedule can be discussed.
|
|
|
|
. 2009-06-19:
|
|
Core asks for a new patched version of WordPress, if available, and
|
|
notifies the WordPress team that the publication of the advisory was
|
|
re-scheduled to June 30th.
|
|
|
|
. 2009-06-19:
|
|
WordPress team confirms they have a new patch that has the potential to
|
|
break a lot of plugins.
|
|
|
|
. 2009-06-29:
|
|
WordPress team asks for a delayance on advisory CORE-2009-0515
|
|
publication until July 6th, when WordPress MU version will be patched.
|
|
|
|
. 2009-06-29:
|
|
Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.
|
|
|
|
. 2009-06-29:
|
|
Core tells the WordPress team that other administrative PHP modules can
|
|
also be rendered by non-administrative users, such as module
|
|
'admin-post.php' and 'link-parse-opml.php'.
|
|
|
|
. 2009-07-02:
|
|
WordPress team comments that 'admin.php' and 'admin-post.php' are
|
|
intentionally open and plugins can choose to hook either privileged or
|
|
unprivileged actions. They also comment that unprivileged access to
|
|
'link-parse-opml.php' is benign but having this file open is bad form.
|
|
|
|
. 2009-07-02:
|
|
Core sends the WordPress team a new draft of the advisory and comments
|
|
that there is no capability specified in Worpress documentation for
|
|
configuring plugins. Also control of actions registered by plugins is
|
|
not enforced. Core also notices that the privileges unchecked bug in
|
|
'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development
|
|
release.
|
|
|
|
. 2009-07-06:
|
|
Core requests WordPress confirmation of the release date of WordPress
|
|
2.8.1 and WordPress MU 2.8.
|
|
|
|
. 2009-07-07:
|
|
WordPress team confirms that a release candidate of WordPress 2.8.1 is
|
|
made available to users and that the advisory may be published.
|
|
|
|
. 2009-07-06:
|
|
Core requests WordPress confirmation of the release date of WordPress MU
|
|
and WordPress MU new version numbers.
|
|
|
|
. 2009-07-07:
|
|
WordPress team release WordPress 2.8.1 RC1 to its users.
|
|
|
|
. 2009-07-08:
|
|
WordPress team confirms that WordPress MU 2.8.1 will be made available
|
|
as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.
|
|
|
|
. 2009-07-08:
|
|
The advisory CORE-2009-0515 is published.
|
|
|
|
|
|
|
|
10. *References*
|
|
|
|
[1] WordPress vulnerabilities in CVE database
|
|
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
|
|
[2] SecuriTeam List of WordPress Vulnerabilities
|
|
http://www.securiteam.com/products/W/Wordpress.html
|
|
[3] WordPress Vulnerability - YBO Interactive Blog
|
|
http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
|
|
[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
|
|
http://wordpress.org/support/topic/280748
|
|
[5] Security breach - xkcd blog
|
|
http://blag.xkcd.com/2009/06/18/security-breach/
|
|
[6] securityvulns.com WordPress vulnerabilities digest in English
|
|
http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
|
|
[7] CVE-2008-0196
|
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
|
|
[8] WordPress Roles and Capabilities
|
|
http://codex.wordpress.org/Roles_and_Capabilities
|
|
[9] WordPress Download Counter
|
|
http://wordpress.org/download/counter/
|
|
[10] WordPress Intrusion Detection System Plugin
|
|
http://php-ids.org/2008/02/21/wpids-version-012-released/
|
|
[11] Hardening WordPress with htaccess
|
|
http://blogsecurity.net/wordpress/article-210607
|
|
|
|
|
|
11. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is charged
|
|
with anticipating the future needs and requirements for information
|
|
security technologies. We conduct our research in several important
|
|
areas of computer security including system vulnerabilities, cyber
|
|
attack planning and simulation, source code auditing, and cryptography.
|
|
Our results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://www.coresecurity.com/corelabs.
|
|
|
|
|
|
12. *About Core Security Technologies*
|
|
|
|
Core Security Technologies develops strategic solutions that help
|
|
security-conscious organizations worldwide develop and maintain a
|
|
proactive process for securing their networks. The company's flagship
|
|
product, CORE IMPACT, is the most comprehensive product for performing
|
|
enterprise security assurance testing. CORE IMPACT evaluates network,
|
|
endpoint and end-user vulnerabilities and identifies what resources are
|
|
exposed. It enables organizations to determine if current security
|
|
investments are detecting and preventing attacks. Core Security
|
|
Technologies augments its leading technology solution with world-class
|
|
security consulting services, including penetration testing and software
|
|
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
|
|
Security Technologies can be reached at 617-399-6980 or on the Web at
|
|
http://www.coresecurity.com.
|
|
|
|
|
|
13. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2009 Core Security
|
|
Technologies and (c) 2009 CoreLabs, and may be distributed freely
|
|
provided that no fee is charged for this distribution and proper credit
|
|
is given.
|
|
|
|
|
|
14. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.6 (MingW32)
|
|
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|
|
|
|
iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N
|
|
TPRpR0Gn0WqmF8HOeDslbA8=
|
|
=zEDK
|
|
-----END PGP SIGNATURE-----
|
|
|
|
# milw0rm.com [2009-07-10] |