Hello Full-Disclosure! I want to warn you about new security vulnerabilities in WordPress which I published at 30.07.2010 during my Day of bugs in WordPress 2 project. This is second advisory for this project. ------------------------------ Advisory: Day of bugs in WordPress 2: CSRF, Information Leakage and Full path disclosure vulnerabilities in WordPress ------------------------------ URL: http://websecurity.com.ua/4420/ ------------------------------ These are Cross-Site Request Forgery vulnerability which I found at 05.06.2007, Information Leakage which I found at 02.08.2009, and Full path disclosure which I found at 29.07.2010. ------------------------------ 1. Cross-Site Request Forgery. ------------------------------ Taking in account that in plugin WordPress Database Backup there is no protection against CSRF, then with help of this CSRF vulnerability it's possible to attack admin. It can be done for forcing of backup, in order to get the backup of site's DB via earlier mentioned Information Leakage vulnerability, or for the purpose of creating of large number of backup files, to occupy free space at the server. Or in order to receive backup on email. These CSRF-attacks are possible if plugin WP-DB-Backup is activated. With help of CSRF-attack it's possible to make backup of any tables, as all, as selectively (e.g. table with users wp_users). In this exploit the backup is making with table wp_users: http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20CSRF.html And also it's possible to simply send backup (for example with table wp_users) to your email: http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20CSRF2.html It's attack which I called Email me backup attack. As I already note, this leakage of information in backup of DB is the most dangerous concerning with that there are login and hash of admin in backup. Which can be used for gaining access to the site. It was very actual before releasing of WordPress 2.5, in which authorization system was remade, after Steven Murdoch drew attention of WP developers at Cookie Authentication vulnerability in WordPress (http://securityvulns.ru/Sdocument460.html). And from version 2.5 in WP new authorization method via cookies is using, but even in new versions of engine the leakage of backups is still dangerous and it's better not to allow it. Affected products: WordPress 2.0.11 and previous versions, with which plugin WordPress Database Backup was shipped. Also vulnerable are plugin WP-DB-Backup 2.0 and previous versions in any versions of WordPress (WP 2.9.2 and previous versions and potentially WP 3.0 and 3.0.1). ------------------------------ Protection against this vulnerability. ------------------------------ As I mentioned, in version 2.1 of the plugin the protection against CSRF was added, so the last version of plugin WP-DB-Backup 2.2.2 is not vulnerable to CSRF. So it's necessary to update plugin to the last version. ------------------------------ 2. Information Leakage (via Privileges unchecked). ------------------------------ In June 2007 I already found Information Leakage vulnerability in plugin WordPress Database Backup (it was mentioned in previous advisory). And in August 2009 I found new vulnerability concerning with this plugin (which is a consequence of Privileges unchecked vulnerability (http://securityvulns.ru/Wdocument142.html), which was disclosed in July 2009). This vulnerability allows to find out the path to backup folder, and also to reveal prefix of tables in DB. The Privileges unchecked vulnerability in WP was found by CORE in 2009. They used my research about Local File Inclusion in WP (many of which were working even with Subscriber account), which I wrote about in December 2007 (CVE-2008-0196) during first Day of bugs in WordPress project. These holes were fixed in WP 2.3.2, but, as CORE found, LFI attacks on plugins folder were still possible (due to lack of privilege checks in WP). This vulnerability can be used in pair with previous Information Leakage vulnerability for revealing of full path to backups and downloading of backups of site's DB. If to know folder's name, it's possible to easily reveal file name (up to 1000 combination, if name of database in MySQL, prefix and date are known) and to download the backup. Also knowing of prefix of tables in DB will be of use at SQL Injection attack. Leakage of information is going at accessing via admin.php to WP-DB-Backup plugin: http://site/wp-admin/admin.php?page=wp-db-backup.php If plugin WordPress Database Backup is activated, then with having account with minimal rights (Subscriber) it's possible to find out path to backup and prefix of tables. Affected products: WordPress 2.8 and previous versions. Vulnerability concerns only WP and not the plugin (via this vulnerability it's possible to attack other plugins too). In WordPress 2.8.1 this Privileges unchecked vulnerability is already fixed, so this attack is not working. ------------------------------ Protection against this vulnerability. ------------------------------ For protection it's possible to update WordPress to not vulnerable version, or update plugin to the last version. Beginning from version 2.1 of plugin (including last version WordPress Database Backup 2.2.2) this vulnerability already doesn't work (even in older vulnerable versions of engine), but Full path disclosure hole has appeared. ------------------------------ 3. Full path disclosure. ------------------------------ There are two Full path disclosure vulnerabilities in WP-DB-Backup: http://site/wp-admin/admin.php?page=wp-db-backup.php Vulnerability works with plugin WordPress Database Backup 2.1 and higher. It works at users with any rights (even Subscriber) in all versions of WordPress (until WP 2.8.1) via using above-mentioned Privileges unchecked vulnerability. http://site/wp-content/plugins/wp-db-backup.php Vulnerability works in all versions of WordPress Database Backup (including it's not fixed in the last version WP-DB-Backup 2.2.2) in all versions of WordPress. ------------------------------ Protection against these vulnerabilities. ------------------------------ For protection it's possible to fix these Full path disclosure vulnerabilities by yourself (as others FPD in WordPress). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/