WordPress 2.6.3 XSS RSS Feed Generator Vulnerability Revealed. Mitigated.

Due to what we consider a critical and of course, an exploitable vulnerability in the RSS subsystem in WordPress 2.6.3 and below, WordPress has released a fix, and moved to version 2.6.5. The links to the new version, and other information are available after the jump, along with the FullDisclosure Vulnerability announcement from Jeremias Reith.
WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.
===== noXSS.org Security Advisory ======
Advisory: WordPress XSS vulnerability in RSS Feed Generator
Author: Jeremias Reith <redacted>
Published: 2008/11/25
Affected: WordPress < 2.6.5
Summary
=======
WordPress prior to v2.6.5 fails to sanitize the Host header variable
correctly when generating RSS feeds and is therefore prune to XSS
attacks.
Web Sites running in a name based virtual hosting setup are not
affected as long as they are not the default virtual host.
Moreover we only found installations running on the Apache web server
to be affected.
Vulnerability Details
=====================
The function self_link() in wp-includes/feed.php is used to generate
absolute URLs for the <atom:link> tag in ATOM and RSS 2.0 feeds:
function self_link() {
echo ‘http’
. ( $_SERVER['https'] == ‘on’ ? ’s’ : ” ) . ‘://’
. $_SERVER['HTTP_HOST']
. wp_specialchars(stripslashes($
}
The function does not sanitize the HTTP_HOST variable in any way but
WordPress replaces all $_SERVER variables with escaped ones in
wp-settings.php:
$_SERVER = add_magic_quotes($_SERVER);
In almost all setups add_magic_quotes() runs
mysql_real_escape_string() over the elements and returns the modified
array. Unfortunately this escaping method is not safe in markup
context.
PoC
====
The Apache web server only disallows ‘/’, ‘\’ and ‘..’ within the host
header. The header can therefore contain markup making the following
PoC possible:
curl -H “Host: \”><body onload=alert(String.fromCharCode(88,83,83))>” \
http://www.example.org/blog/feed
The given example request will return (without additional newlines):
– snip –
…
<atom:link href=”http://\”>
<body onload=alert(String.fromCharCode(88,83,83))>
/blog/feed” rel=”self” type=”application/rss+xml” />
…
– snip –
The embedded JavaScript will be executed in Firefox 3.0.4 due to the
triggered switch to Quirks mode.
Exploit
=======
The following exploit is a semi-stored XSS attack and has been tested
with the following setup:
- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4
WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
often used. It saves generated pages in the wp-content/cache directory
and adds mod_rewrite rules to serve cached pages statically.
Issuing a malicious request to a vulnerable WordPress installation
will lead to a file containing the XSS to be generated and placed
within the document root.
Request:
curl -H “Host: \”><body onload=alert(String.fromCharCode(88,83,83))>” \
http://www.example.org/blog/feed
Generated file:
http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html
Firefox will execute the embedded JavaScript even tough the feed is
XML because the file is served as text/html.
The only missing the step is the calculation cached file’s MD5 sum.
The following code generates the MD5 checksum:
php -r ‘echo md5(“\”><body onload=alert(String.fromCharCode(88,83,83))>”.
“/blog/feed”), “\n”;’
In the default setup the MD5 sum can be generated by concatenating the
contents of HTTP_HOST and REQUEST_URI resulting in
0d2ca4617758433a7864d57493be2c5b for the given example.
This file can be accessed until the cache expiration mechanism removes
it. The default expire time is 3600 seconds.
Vendor Response
===============
2008-11-17 Reported to vendor
2008-11-17 Initial response from vendor
2008-11-25 Release of version 2.6.5
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=bce08610-0bfd-4930-b15c-75c228041f7b)






Nov 26th, 2008 at 12:35
If you’re running WordPress, you need to upgrade: http://tinyurl.com/6yqjrc
Nov 28th, 2008 at 02:08
[...] While the details are quite technical, it involves an unsanitized $_SERVER variable and the WordPress feeds output (Both Atom feeds and RSS 2.0). Just like unwashed hands spreading germs, uncleaned data from the server can have nasty surprises in them – and the feeds code doesn’t clean it well enough (until 2.6.5 that is). That possibly ’surprise’ can then possibly affect all viewers of the feed (if you’re interested in the technical bulletin, you can read them at infosecurity). [...]