Home » 2009 » July » 10 » WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures
3:48 PM
WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures
Core Security Technologies - CoreLabs Advisory
  http://www.coresecurity.com/corelabs/

WordPress Privileges Unchecked in admin.php and Multiple Information
Disclosures



1. *Advisory Information*

Title: WordPress Privileges Unchecked in admin.php and Multiple
Information Disclosures
Advisory ID: CORE-2009-0515
Advisory URL:
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
Date published: 2009-07-08
Date of last update: 2009-07-08
Vendors contacted: WordPress
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Local file include, Privileges unchecked, Cross site scripting
(XSS), Information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35581, 35584
CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336


3. *Vulnerability Description*

WordPress is a web application written in PHP that allows the easy
installation of a flexible weblog on any computer connected to the
Internet. WordPress 2.7 reached more than 6 million downloads during
June 2009 [9].

A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside 'wordpress.com', allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.


4. *Vulnerable packages*

  . WordPress 2.8 and previous
  . WordPress MU 2.7.1 and previous, used in WordPress.com


5. *Non-vulnerable packages*

  . WordPress 2.8.1
  . WordPress MU 2.8.1, used in WordPress.com


6. *Vendor Information, Solutions and Workarounds*

Mitigation for the Privileges Unchecked vulnerability (suggested by Core
Security): this vulnerability may be mitigated by controlling access to
files inside the 'wp-admin' folder. Access can be prohibited by using
Apache access control mechanism ('.htaccess' file), see guideline for
more information [11].


7. *Credits*

These vulnerabilities were discovered and researched by Fernando
Arnaboldi and José Orlicki from Core Security Technologies. Further
research was made by Jose Orlicki from Core Security Technologies.


8. *Technical Description / Proof of Concept Code*


8.1. *Introduction*

In the last few years several security bugs were found in WordPress
[1][2]. During 2008, the big amount of bugs reported by researchers lead
to exploitation by blog spammers [3]. During 2009, a new round of
attacks has appeared and security researchers are reporting new bugs or
wrongly fixed previously-reported bugs [4][5]. A path traversal in local
files included by 'admin.php' has been fixed [6][7] but, in our case, we
report that administrative privileges are still unchecked when accessing
any PHP file inside a plugin folder.


8.2. *Access Control Roles*

WordPress has a privilege model where any user has an assigned role [8].
Regarding plugins only users characterized by the role Administrator can
activate plugins. Notice that only the blog hosting owner can add new
plugins because these must by copied inside the host filesystem. The
roles Editor, Author or Subscriber (the latter has the least privileges)
cannot activate plugins, edit plugins, update plugins nor delete plugins
installed by an Administrator. Besides that, the configuration of
specific plugins is a grey area because there is no distinguished
capability assigned [8].

Also due to cross-site scripting vulnerabilities inside plugins options
(something very common), non-administrative users reconfiguring plugins
may inject persistent JavaScript code. Possibly arbitrary native code
can be executed by the attacker if the blog administrator runs injected
JavasScript code that injects PHP code. It is important to observe that
many WordPress-powered blogs are configured to allow any blog visitor to
create a Subscriber user without confirmation from the Administrator
role inside the following URL, although by default the Administrator
role must create these new users.

/-----------

http://[some_wordpress_blog]/wp-login.php?action=register
- -----------/

 This can be modified by the administrator in 'Membership/Anyone can
register'.

/-----------

http://[some_wordpress_blog]/wp-admin/options-general.php
- -----------/




8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes
(CVE-2009-2334, BID 35581)*

No privileges are checked on WordPress plugins configuration PHP modules
using parameter 'page' when we replace 'options-general.php' with
'admin.php'. The same thing happens when replacing other modules such as
'plugins.php' with 'admin.php'. Basic information disclosure is done
this way. For example, with the following URL a user with no privileges
can see the configuration of plugin Collapsing Archives, if installed.

/-----------

http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt
- -----------/

 Instead of the following allowed URL.

/-----------

http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt
- -----------/

 Another example of this information disclosure is shown on Akismet, a
plugin shipped by default with WordPress.

/-----------

http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt
- -----------/

 All plugins we have tested are vulnerable to this kind of information
disclosure, but in many of them the PHP files accessed just crashed. On
the other hand, for example, with capability 'import', privileges are
checked inside 'admin.php':

/-----------

if ( ! current_user_can('import') )
  wp_die(__('You are not allowed to import.'));
- -----------/

 More dangerous scenarios exist, all of them can be exploited by users
with the Subscriber role, the least privileged.


8.4. *Abuse example: XSS in plugin configuration module*

If installed, *Related Ways To Take Action* is an example of a WordPress
plugin that is affected by many cross-site scripting vulnerabilities
(XSS) that can be leveraged by an attacker using the unchecked
privileges described in this advisory to inject persistent JavaScript
code. Possibly, arbitrary native code can be executed by the attacker if
the blog administrator, when he/she logs in, runs injected JavasScript
code that edits blog PHP code. The original URL for reconfiguring the
plugin can be accessed only by the Administrator role.

/-----------

http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php
- -----------/

 But replacing the PHP file with the generic 'admin.php' any blog user
can modify this configuration.

/-----------

http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php
- -----------/

 The following JavaScript injection can be entered within field *Exclude
actions by term* to exemplify this kind of abuse. When the administrator
enters the same page the injected browser code will be executed and
possibly blog PHP can be modified to run arbitrary native code.

/-----------

\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="

- -----------/

 This is the worst scenario that we found for the vulnerability.


8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*

If installed, the WordPress Security Scanner Plugin dashboard can be
viewed similarly by any user besides the administrator using the plugin
configuration page URL without modification. This dashboard includes
common default blog configuration settings that are insecure and should
be modified by the blog administrator or hosting.

/-----------

http://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php
- -----------/




8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*

If installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be
reconfigured accessed with the same vulnerability.

/-----------

http://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php
- -----------/

 This gives an attacker the possibility to disable many features of the
plugin, for example reactivate the forgotten password feature and
reactivate the XML-RPC blog interface. Also you can deny the weblog
service by configuring this plugin to be overly sensitive, blocking any
request. However the plugin cannot be totally disabled because the
essential IDS parameters 'Maximum impact to ignore bad requests' and
'Minimum impact to sanitize bad requests' are verified on the server
side of the blog and cannot be distorted to deactivate the sanitizing or
blocking features of the web IDS plugin.


8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID
35584)*

WordPress discriminates bad password from bad user logins, this reduces
the complexity of a brute force attack on WordPress blogs login
(CVE-2009-2335, BID 35584). The same user information disclosure happens
when users use the forgotten mail interface to request a new password
(CVE-2009-2336, same BID 35584). These information disclosures seem to
be previously reported [6] but the WordPress team is refusing to modify
them alleging *user convenience*.

Default installation of WordPress 2.7.1 leaks the name of the user
posting entries inside the HTML of the blog.

/-----------

 <small>June 3rd, 2009 <!-- by leakedusername --></small>
- -----------/



Also several administrative modules give to anyone the complete path
where the web application is hosted inside the server. This may simplify
or enable other malicious attacks. An example follows.

/-----------

http://[some_wordpress_blog]/wp-settings.php
- -----------/



/-----------

Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
[WP_LEAKED_PATH]\wp-settings.php on line 110
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in
[WP_LEAKED_PATH]\wp-settings.php on line 112
Warning: require(ABSPATHwp-includes/compat.php) [function.require]:
failed to open stream:
No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246
Fatal error: require() [function.require]: Failed opening required
'ABSPATHwp-includes/compat.php'
(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in
[WP_LEAKED_PATH]\wp-settings.php on line 246

- -----------/




9. *Report Timeline*

. 2009-06-04:
Core Security Technologies notifies the WordPress team of the
vulnerabilities (security@wordpress.org) and offers a technical
description encrypted or in plain-text. Advisory is planned for
publication on June 22th.

. 2009-06-08:
Core notifies again the WordPress team of the vulnerability.

. 2009-06-10:
The WordPress team asks Core for a technical description of the
vulnerability in plain-text.

. 2009-06-11:
Technical details sent to WordPress team by Core.

. 2009-06-11:
WordPress team notifies Core that a fix was produced and is available to
Core for testing. WordPress team asserts that password and username
discrimination as well as username leakage are known and will not be
fixed because they are convenient for the users.

. 2009-06-12:
Core tells the WordPress team that the patch will be tested by Core as a
courtesy as soon as possible. It also requests confirmation that
WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to
the flaws included in the advisory draft CORE-2009-0515.

. 2009-06-12:
WordPress team confirms that WordPress 2.8 and earlier plus
WordPress.com are vulnerable to the flaws included in the advisory draft.

. 2009-06-17:
Core informs the WordPress team that the patch is only fixing one of the
four proof of concept abuses included in the advisory draft. Core
reminds the WordPress team that the advisory is scheduled to be
published on June 22th but a new schedule can be discussed.

. 2009-06-19:
Core asks for a new patched version of WordPress, if available, and
notifies the WordPress team that the publication of the advisory was
re-scheduled to June 30th.

. 2009-06-19:
WordPress team confirms they have a new patch that has the potential to
break a lot of plugins.

. 2009-06-29:
WordPress team asks for a delayance on advisory CORE-2009-0515
publication until July 6th, when WordPress MU version will be patched.

. 2009-06-29:
Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.

. 2009-06-29:
Core tells the WordPress team that other administrative PHP modules can
also be rendered by non-administrative users, such as module
'admin-post.php' and 'link-parse-opml.php'.

. 2009-07-02:
WordPress team comments that 'admin.php' and 'admin-post.php' are
intentionally open and plugins can choose to hook either privileged or
unprivileged actions. They also comment that unprivileged access to
'link-parse-opml.php' is benign but having this file open is bad form.

. 2009-07-02:
Core sends the WordPress team a new draft of the advisory and comments
that there is no capability specified in Worpress documentation for
configuring plugins. Also control of actions registered by plugins is
not enforced. Core also notices that the privileges unchecked bug in
'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development
release.

. 2009-07-06:
Core requests WordPress confirmation of the release date of WordPress
2.8.1 and WordPress MU 2.8.

. 2009-07-07:
WordPress team confirms that a release candidate of WordPress 2.8.1 is
made available to users and that the advisory may be published.

. 2009-07-06:
Core requests WordPress confirmation of the release date of WordPress MU
and WordPress MU new version numbers.

. 2009-07-07:
WordPress team release WordPress 2.8.1 RC1 to its users.

. 2009-07-08:
WordPress team confirms that WordPress MU 2.8.1 will be made available
as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.

. 2009-07-08:
The advisory CORE-2009-0515 is published.



10. *References*

[1] WordPress vulnerabilities in CVE database
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
[2] SecuriTeam List of WordPress Vulnerabilities
http://www.securiteam.com/products/W/Wordpress.html
[3] WordPress Vulnerability - YBO Interactive Blog
http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
http://wordpress.org/support/topic/280748
[5] Security breach - xkcd blog
http://blag.xkcd.com/2009/06/18/security-breach/
[6] securityvulns.com WordPress vulnerabilities digest in English
http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
[7] CVE-2008-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
[8] WordPress Roles and Capabilities
http://codex.wordpress.org/Roles_and_Capabilities
[9] WordPress Download Counter
http://wordpress.org/download/counter/
[10] WordPress Intrusion Detection System Plugin
http://php-ids.org/2008/02/21/wpids-version-012-released/
[11] Hardening WordPress with htaccess
http://blogsecurity.net/wordpress/article-210607


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N
TPRpR0Gn0WqmF8HOeDslbA8=
=zEDK
-----END PGP SIGNATURE-----

Views: 9850 | Added by: apeh1706 | Rating: 0.0/0
Total comments: 151 2 »
15  
Because it does still suck, no matter how much Yahoo pretends that it doesn't and sends people from their marketing department to answer this question, pretending to be juveniles or adults with lots of supiciously in-depth advice about the page design (Jane).. . All answers offering any suggestion that the page does not suck will not be considered valid or winners, regardless or whether Yahoo! counts them as such and gives meanless points to it's lackeys who chime in, in a desperate attempt to stop the verbal browbeatings I'm almost certain are a daily occurence at a company that could design such a Soviet era-website (I'm referring to the style. We all know the Soviets neither had the web nor could accept it. Since the Soviet Union isn't around anymore, Yahoo! works with the Red Chinese instead to subtly destroy the freedoms of their people.). . Anyway, the page sucks. Back to the old page. Jane can kiss off with this nonsense about how people love the new page. We don't..

14  
Yes, if you make it work it will. You can do anything on the internet and make it work as long as you do it right.. . You need to have a good website suited for adults and kids, eg. easy to work and navigate. It must also look like a fun website for kids so it attracts their attention.. . You must have your product checked out so that it is safe for kids.. . Then you need to get customers to your site. Advertise on kids pages to get them interested but also advertise on adults pages so that parents can find it for their kids.. . If you are good at web design this would be a good startup business but if you are not, then find someone you know to do it for you for cheap, or it would be expensive to startup with the cost of web developers.. . If you need any more info then just ask.

13  
Suffered to hyour new Outlook.com inbox

As promised, your Hotmail account has been upgraded to Outlook.com. All of your email and other figures from your Hotmail account are relieve here, and your email give a speech to as not changed.

Match a walk—guard against the video on the right to pick up familiar with your supplemental inbox.
Outlook.com tips—see the surmount rated tips and tricks based on feedback from millions of Outlook.com users.
Enrol your inbox; we sent you an email—we’ll tell you all regarding Outlook.com's marked features.

12  
Je voudrais lancez-vous, mais je n'ai aucune idée de quel site à utiliser? Lesquels sont les meilleurs?.

11  
Matchless тему , это очень интересно для меня )))) Спасибо команде trytosecure.do.am касается

10  
Великий бить! Я хотел бы учеником , пока вы изменить свой ​​сайт , как я могу подписаться наблог-сайт ? Счет помогли мнеприменимо сделки. Я чуть-чуть знакомы этой передачи вашего условии, яркие ясно отношении концепция!

9  
The other day, while I was at work, my sister stole my iPad and tested to see if it can survive a thirty foot drop, just so she can be a youtube sensation. My apple ipad is now broken and she has 83 views. I know this is completely off topic but I had to share it with someone!

8  
Я думаю, что другие владельцы сайта должны принять trytosecure.do.am какмодель , очень чистый и отличный удобный стиль и дизайн, не говоря уже о содержании. Вы являетесь экспертом в этой теме! наилучшие пожелания

7  
If you want to make $20-$50/hour and up to $3500/month of your time working at
home part-time then this is the most important message you’re ever going to read...

It may sound hard to believe, but it's true. There are thousands of companies out there who are willing to pay for your opinions regarding their products. This is an important part of product research, and they rely on people just like you for your honest opinion!

Imagine getting paid for doing things like:

- Trying out new menu items from popular restaurants
- Take short surveys about new cars that are coming out soon
- Give your opinion about new clothing and shoe designs
But here's a problem, it's very hard to find out best survey site and you probably can waste too much time,
but I just stumbled up website http://get-surveys-for-money.com where this guy Jack revealed his secret source where he registered and taking surveys in his free time and earning $265 within 12h and $1440 just within 2 weeks

Click Here To read this amazing story :
http://get-surveys-for-money.com

6  
After getting more than 10000 visitors/day to my website I thought your trytosecure.do.am website also need unstoppable flow of traffic...

Use this BRAND NEW software and get all the traffic for your website you will ever need ...

= = > > http://massive-traffic-to-your-site.com

In testing phase it generated 867,981 visitors and $540,340.

Then another $86,299.13 in 90 days to be exact. That's $958.88 a
day!!

And all it took was 10 minutes to set up and run.

But how does it work??

You just configure the system, click the mouse button a few
times, activate the software, copy and paste a few links and
you're done!!

Click the link BELOW as you're about to witness a software that
could be a MAJOR turning point to your success.

= = > > http://massive-traffic-to-your-site.com

1-10 11-15
Name *:
Email *:
Code *: