Security blog

Proof of Concept (IE7)

entering in a comment field the following string: :

aaa@"STYLE="behavior:url('#default#time2')"onBegin="alert('XSS')"

Activation takes place after reading the comment by a blog user.

Moreover, activation occurs also in administration section (sample attack impacts: session takeover, CSRF).

Another flaw is similar:

javascript://%0a%0dalert%281%29

Activation - after clicking the link.

I'd like to remind, that persistent XSS-es are quite dangerous (attack against a victim activates during normal navigation through the portal).

Details

The problems were spotted in the following file:

wp-includes/formatting.php, to be more specific: in function make_clicable().

the regexps are too lax to prevent injections (see lines: 6 and 8)

1. function make_clickable($ret) {
2.    $ret = ' ' . $ret;
3.    // in testing, using arrays here was found to be faster
4.    $ret = preg_replace(
5.        array(
6.            '#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
7.            '#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
8.            '#([\s>])([a-z0-9\-_.]+)@([^,< \n\r]+)#i'),
9.        array(
10.            '$1<a href="$2" rel="nofollow">$2</a>',
11.            '$1<a href="http://$2" rel="nofollow">$2</a>',
12.            '$1<a href="mailto:$2@$3">$2@$3</a>'),$ret);
13.    // this one is not in an array because we need it to run last, for cleanup of accidental links within links
14.    $ret = preg_replace("#(<a( [^>]+?>|>))<a [^>]+?>([^>]+?)</a></a>#i", "$1$3</a>", $ret);
15.    $ret = trim($ret);
16.    return $ret;
17.}

Vulnerable versions of wordpress

2.3.1, probably also lower versions.

Kroki zaradcze

Vendor was informed and released 2.3.2 version of the software, which contains a patch fixing the vulnerability.

We recommend upgrading to the newest version of WordPress.

The scope of the audits was as follows:

Here, we are going to publish some interesting news from the world of web applications security.