ethicalhack3r

1. *Advisory Information*

Title: WordPress >= 2.9 Failure to Restrict URL Access
Date published: 13/02/2010

2. *Vulnerability Information*

Class: Failure to Restrict URL Access
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. *Software Description*

WordPress is a state-of-the-art publishing platform with a
focus on aesthetics, web standards, and usability. WordPress
is both free and priceless at the same time. [0]

4. *Vulnerability Description*

Frequently, the only protection for a URL is that links to that page
are not presented to unauthorized users. Security by obscurity is
not sufficient to protect sensitive functions and data in an application.
Access control checks must be performed before a request to a sensitive
function is granted, which ensures that the user is authorized to access
that function. [1]

5. *Vulnerable packages*

Versions >= 2.9

6. *Non-vulnerable packages*

Versions < 2.9

7. *Vulnerability Overview*

Since version 2.9 a new feature was implemented so that users
were able to retrieve posts that they may have deleted by accident.
This new feature was labelled ‘trash’. Any posts that are placed within
the trash are only viewable by authenticated and privileged users.

8. *Technical Description*

When WordPress implemented the new feature they failed to change the
permissions granted when the post is in the trash. This means that
an unauthenticated user cannot see the post, however an authenticated
user can, no matter what privileges they have, even ’subcriber’.

“Subscriber [User Level 0] – Somebody who can read comments/comment/receive news letters, etc.” [2]

9. *PoC*

http://codeviewer.org/view/code:c03

10. *Credits*

Thomas Mackenzie (tmacuk) – http://www.thomasmackenzie.co.uk/
Original finder and tester.

Ryan Dewhurst (ethicalhack3r) – http://www.ryandewhurst.co.uk/
PoC creation and analysis.

Arron Finnon (f1nux) – http://www.finux.co.co.uk/
Helped with documentation.

Matthew Hughes – http://www.matthewhughes.co.uk/
Helped with documentation.

Robin Wood (digininja) – http://www.digininja.org/
Helped identify the vulnerability type.

11. *References*

[0] http://wordpress.org/
[1] http://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
[2] http://codex.wordpress.org/Roles_and_Capabilities

UPDATE 13/02/2010 –

WP unofficial patch released:
http://www.2shared.com/file/11360976/9b00062c/diff_wp.html

UPDATE 15/02/2010 –

Wordpress 2.9.2 released which fixes the Failure to Restrict URL Access vulnerability.

Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.

The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.

Achievo is a flexible web-based resource management tool for business
environments. Achievo’s resource management capabilities will enable
organisations to support their business processes in a simple, but effective
manner.

I and Andres worked on quite an novel (to me) payload for the persistent XSS vulnerability which we found. Essentially the payload we worked on was an AJAX script which sent POST requests to the vulnerable application in order to escalate a users privileges. A write up by Andres on the payload can be found here: http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

For the original advisories:

Multiple XSS in Achievo

SQL injection in Achievo

All vulnerabilities found were disclosed in an ethical manner. We worked along side the affected application developers in order to fix the vulnerabilities found. The advisories were not published until the developers had fixed and updated their software.

Here is one of the vulnerabilities which I found during my research for Bonsai Security a few weeks ago. The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period.

During the time of my research I learnt a great deal from Andres Riancho (w3af/bonsai-sec owner) and from the vulnerability assessments them selves. So what did I learn? I learnt that patience is definitely a virtue, javascript is a pain in the ass, ecommerce web application developers need to invest more time on security and a lot more as regards to perfecting my assessment techniques.

Here is the vulnerability report:

http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt

Here is a great post by Andres on the difficulty on the actual exploitation:

http://www.bonsai-sec.com/blog/index.php/not-the-average-sql-injection/

A massive thanks to Andres for giving me the opportunity to work for him. I learnt more in the (just over) two week period working for him than I could have learnt in a whole 12 months.