WordPress.com permanent XSS vulnerability

2009 April 8
by Pedro Laguna

UPDATE: Drew Strojny, Vigilance theme creator ask me to hide the post until a he publish a fixed version. He did yesterday so I put this post online again.

Friday 3 I discovered XSS vulnerability into WordPress.com. A malicious attacker can insert Javascript into the “Alert Box” feature of theme Vigilance. It was a permanent XSS vulnerability that can be used to make a XSS worm around WordPress.com or to spam all blogs with some kind of Russian or Chinese malicious links.

I send an email to WordPress.com support Saturday 4 knowing they about the vulnerability. They (well, Anthony) reply me asking about what king of Javascript I was able to insert:

To: me@email.com
Subject: [WordPress #282419]: General – I discover that i can insert javascript without p
Date: Sat, 04 Apr 2009 11:49:32 +0000
From: “Anthony – WordPress.com” support@wordpress.com
Reply-To: support@wordpress.com
Content-Type: text/plain; charset=”UTF-8″
Content-Transfer-Encoding: 8bit

Hi,

What specific javascript code did you enter?

Best,

Anthony

Automattic | WordPress.com

I answered with more specific technical detail:

In-Reply-To: khkrik.hlo0f3@help.automattic.com
Date: Sat, 4 Apr 2009 13:52:13 +0200
Delivered-To: me@email.com
Subject: Re: [WordPress #282419]: General – I discover that i can insert javascript without pr
From: Pedro Laguna me@email.com
To: support@wordpress.com
Content-Type: multipart/mixed; boundary=0016e6ddfed2d012cc0466b94bfd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

I attach three pics. I try only some simple javascript, but I’m sure I’ll be able to put anything there.

Pedro Laguna

The three pictures I send are these ones that demonstrate that I can insert anything I want:

Vigilance Options Vigilance Options with some simple Javascript

Equilibrio Inestable with XSS!!

This blog was XSSed!!!

Page code

The Javascript code without being filtered

After this email I started to think about how an evil person could be do with this vulnerability. The first step is to determine how WordPress.com users can be affected. We have two kind of WordPress.com users:

  • Users with the Vigilance Theme activated
  • Users with other theme

The first target is easy. We can use AJAX to generate every HTTP connection we need so we can copy the XSS worm code into the Alert Box feature of blogs who have this theme activated:

POST /wp-admin/themes.php?page=functions.php HTTP/1.1
Host: <blogname>.wordpress.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
V_pages_to_exclude=&V_background_css=Disabled
&V_background_color=dcdfc2&V_border_color=d7dab9
&V_link_color=772124&V_hover_color=58181b
&V_alertbox_state=On&V_alertbox_title=Title
&V_alertbox_content=Message
&save=Save+changes&action=save

We will change the Message value to insert our Javascript code and change the state to On to display it in the front page.

The other group of users can host our evil XSS code too. They need first to activate the Vigilance theme. It can be easily done with the following HTTP request:

GET /wp-admin/themes.php?action=activate&template=pub%2Fvigilance&stylesheet=pub%2Fvigilance&_wpnonce=a4c05c7d1d HTTP/1.1

As you can see its a GET request that can be achieve with a simple CSRF request. Really? No! They are using a _wpnonce var to block this king of attacks. But it is not a problem when we are able to insert Javascript inside the domain because the cookie domain is defined as .wordpress.com. This means that we can generate an AJAX request to retrieve the wp-admin/themes.php page, extract the _wpnonce value and generate a valid theme changing request.

Ok, now we have the transmission part under control. But… how we start all this mess? We can create a blog, with some proxy, fake mails, public AP, etc but this is not part of this post. The real interesting thing is that we can use Google to find new victims to our XSS worm. In the front page of Vigilance active theme blogs we can see the text “Theme: Vigilance by Jestro”. This text and some Google skills allow us to determine that at least 500,000 blogs are using this theme:

Google search

Some spam to these blogs with the URL of our XSS worm blog and the party start! But we need people visit the infected blogs. In this part we need some social engineering skills and tricks. As we can interact with all the admin interface of logged users we can also post into his blogs. We can write a post about the new theme (to incite  people who reads blogs by RSS to go to the real blog)

As we can see the process to make a XSS worm is a bit complex and required some Javascript skills. In this case the anti-xss filter was not activated so we don’t need to worry about evasion techniques.

Finally, at Monday 6, WordPress.com (Nick) contact me to give me the thanks to advise they about the vulnerability and confirming me that the vulnerability has been patched.

To: me@email.com
Subject: [WordPress #282419]: General – I discover that i can insert javascript without pr
Date: Mon, 06 Apr 2009 14:46:21 +0000
Message-ID: <khop19.56t9h3@help.automattic.com>
From: “Nick – WordPress.com” support@wordpress.com
Reply-To: support@wordpress.com

Hi,
Thanks for letting us know about this! It’s been patched up now so the JS can’t be used.

Nick
Automattic | WordPress.com

Today I post it to public to warn people about the risk of XSS vulnerabilities and congratulate WordPress.com team for the quick response. Have a nice day!

from → Seguridad Informatica, XSS

8 Responses leave one →
  1. 2009 April 8
    Rafa Vargas permalink

    Russian or Chinese? Excuse me Sir, I am important Nigerian minister. I am trying to move a big amount of money (~ $ 120M USD) out of the country and I will give you a 10% if you help me.

    Anyways, I’m proud of your behavior and the way you escalate it.

  2. 2009 April 9
    Thor permalink

    It’s really amazing Mr. McLoving !

  3. 2009 April 9
    dGil permalink

    Verte navegar por internet tiene que ser curioso, tienes algun addon o algo parecido para insertar en todas las cajas de texto el alert(“hola”);? :D D

    Muy bueno como siempre, un saludo!!

  4. 2009 April 9
    Pedro Laguna permalink

    @Rafa Vargas Thank you man!

    @Thor Ou yeah!

    @dGil ¡Gracias! Pero no es ningun addon, es que no me pueden poner un campo donde dicen explicitamente: “Introduce aqui tu HTML” sin que me sienta tentado a empezar a probar cosas… ¡¡Yo queria algun tipo de filtro para intentar saltarlo!! Pero si lo dejan asi de simple… :P

  5. 2009 April 12
    Elpie permalink

    Thanks for posting this information. Unfortunately, the theme is also available as both a free and a commercial theme for wordpress.org users.
    http://themes.jestro.com/vigilance/

    I have notified the theme developer as it looks like the theme has not been patched yet. Just thought you might like to contact him and share the information.

  6. 2009 April 12
    Drew Strojny permalink

    Hi Pedro!

    Thanks for finding this. I am the developer of the Vigilance theme and would like to update our WordPress.org version as well. If you could get in touch with me through email: info at jestro dot com that would be great.

    Thanks again for finding this!

  7. 2009 April 18
    huntme permalink

    Good job buddy

Trackbacks & Pingbacks

  1. WordPress.com permanent XSS vulnerability | Suporte de Informática

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS