Friendly AJAX XSS Worm For Wordpress

Tue, 31 Jul 2007 22:30:04 GMT
by pdp

beNi has discovered several interesting vulnerabilities for Wordpress and has coded a friendly AJAX XSS worm that works behind your back and fixes them. I am sure that David (dk) will go in more details on the matter as soon as he stops playing with Technika and the TSF framework.

beNi, although the idea is interesting, you should not install or run any type of code on sites that you are not specifically authorized to. :) this is for real. You can get into a lot of problems for something like this no matter how noble your intentions are. Post the code and write a white paper how you did it. This is far more safer.

Archived Comments

mybeNi websecuritymybeNi websecurity
Hey pdp! The worm asks for permission and every step must be authorized by the Administrator, it just guides him through the process of applying the workarounds for the security vulnerabilities onto his Wordpress code. ;)
pdppdp
heh :) this is less critical but still. interesting research btw. have you informed the wordpress guys?
David KierznowskiDavid Kierznowski
pdp, heh, I have checked the mans work ... trying to rope him in for a chat :-)
.mario.mario
Yep - very nice work indeed! But as pdp already said please release the sources. There's no way for me using this tool w/o knowing what it really does.
mybeNi websecuritymybeNi websecurity
yes, right after I pressed the Post Button, I created some Tickets at the Wordpress Bugtracker (trac.wordpress.com). They already fixed some parts, hope the release won't take too long.
pdppdp
good stuff byNi... let's see how long it will take wordpress to release a new version.
mybeNi websecuritymybeNi websecurity
mario: If you refer from your admin panel to my page, it pops up and asks you if you'd like to fix these vulns, then it goes to your admin panel back again, carrying its XSS payload and creating a Small setup, which tells the Admin where to add which parts of code to his Wordpress files in order to Fix the Vulnerabilities. At the end, the Admin is prompet wheter he'd like to continue the worm by pasting a small "Referal-Checking" php line to his sidebar (manually by copy&paste) or if he'd like to add a blogroll link to my blog (of course automatically) ;) --cheers beni
.mario.mario
Thanks for the explanation but as I already said - w/o code review no usage - don't get me wrong please. And at the moment I have no time to set up a testblog etc. What's the problem with publishing the sources? You'd like to wait until the vulns are fixed?
mybeNi websecuritymybeNi websecurity
Hell, it is javascript, you'll find the scrip tags on your own
zqyveszqyves
hello all, have a look at that: http://www.symantec.com/enterprise/security_response/weblog/2007/08/wordpress_xss_exploit_solves_p.html there is actually a problem in the code of the XSS worm resulting in the "+" not encoded and interpreted as " " (space) by the browser.
.mario.mario
Yep - just caught that too via my feeds - so maybe now you know what I mean with no review no usage.