Recent
WordPress 3.3 Cross-Site Scripting (XSS)
Yesterday two Indian security researchers, Aditya Modha & Samir Shah, released an advisory outlining a Cross-Site Scripting (XSS) vulnerability within the latest version (at the time of writing) of WordPress 3.3. Many people started re-tweeting the news (including myself) and blogging about it. The problem came when I tried to reproduce the vulnerability, I couldn’t.
I started to think that the vulnerability was a miss-understanding or publicity stunt and was getting annoyed at the many people who were spreading miss-information. I contacted the researchers over Twitter and told them that I was unable to reproduce the vulnerability in any browser or on any WordPress installation including vanilla installs.
The researchers got back in touch with a link to a WordPress installation on which the vulnerability worked. The URL they gave me was an IP address. Within their environment the XSS worked.
At this point I think even the researchers were puzzled. They sent me this code that they believed was the function causing the XSS within wp-includes/functions.php http://pastebin.com/iBnpN8Zm.
WordPress Plugin Disqus Comment System XSS
# Exploit Title: WordPress Plugin Disqus Comment System < = 2.68 Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/disqus-comment-system/
# Date: 11.12.11
# Author: Ryan Dewhurst (@ethicalhack3r)
# Software Link: http://downloads.wordpress.org/plugin/disqus-comment-system.2.68.zip
# Version: 2.68
# Tested on: Cross-Platform
** Vulnerability Description **
The WordPress Disqus Commment System version 2.68 was found to be effected by Reflected Cross-Site Scripting (XSS). At the time of writing the plugin (not version) had been downloaded 504,746 times. [0]
EC-Council – CEH – Unethical Behavior
The EC-Council or ‘The International Council of E-Commerce Consultants’ as they like to call themselves offer a range of different services, mostly in the field of Information Security training and certifications. One of their certifications, the Certified Ethical Hacker (CEH) claims to aspire to training ‘ethical’ hackers.
“CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals.”
What I have found is the way the EC-Council promote their CEH is less than ethical and damn right unethical.
A comment left on my blog quite a while ago (2010/04/20 at 6:18 am), looked fairly authentic, however, when investigating a little further it was clear to me that the comment was in fact SPAM.
“smith said…
Hey folks, Thanks for sharing your views,article includes a very good information about the ethical hacking, the most interesting job in the field of computer security is being an ethical hacker,so i striven into the field of CEH, for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
WPScan 1.1 released
I am pleased to announce, after 5 months of work, that WPScan version 1.1 has been released!
With 780 more lines of code the most notable changes are:
Detection for 750 more plugins.
Detection for 107 new plugin vulnerabilities.
Detection for 447 possible timthumb file locations.
Advanced version fingerprinting implemented.
Full Path Disclosure (FPD) checks.
Auto updates.
Progress indicators.
Improved custom 404 checking.
Improved plugin detection.
Improved error_log checking.
Lots of bugs fixed.
Lots of small tweaks.
A full list of changes can be found here:
http://code.google.com/p/wpscan/source/browse/trunk/CHANGELOG
WordPress ‘In the Wild’ and WPScan Update
As part of my on-going interest in WordPress security I wanted to find out for myself what the state of security was like on installations in the wild.
A list of servers running WordPress was acquired from Shodan by searching for a particular HTTP response header and its value. The list contained 10,000 entries, I don’t know for sure, but I assume the list contained servers from around the world and was fairly random.
An Open Source project I have been working on, WPScan, a WordPress security scanner, was used to passively scan 100 of those WordPress installations. This was done partly to test the scanner for any defects and also to gather data about the security of WordPress installations in the wild.
