WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4344 closed defect (bug) (invalid)

Posting comments from external websites

Reported by: PsychoGun Owned by:
Milestone: Priority: high
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

There is a new vulnerability in WordPress, all versions are concerned.
See my site for more informations: http://ar3av.free.fr/faillewordpress-en.php

Change History (28)

comment:1 PsychoGun7 years ago

  • Component changed from Administration to Security

comment:2 PsychoGun7 years ago

  • Milestone 2.4 deleted
  • Priority changed from normal to highest omg bbq

comment:3 follow-up: g30rg3x7 years ago

  • Priority changed from highest omg bbq to normal
  • Resolution set to invalid
  • Status changed from new to closed

you need the "_wp_unfiltered_html_comment" Token for getting the admin posting data with no-filtering and obviously for getting work your XSS...
So if you test your PoC you will see there is no security breach...

comment:4 in reply to: ↑ 3 Linusmartensson7 years ago

  • Priority changed from normal to high
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Summary changed from new vulnerability in WordPress to Posting comments from external websites

Replying to g30rg3x:

you need the "_wp_unfiltered_html_comment" Token for getting the admin posting data with no-filtering and obviously for getting work your XSS...
So if you test your PoC you will see there is no security breach...

The problem with this vulnerability isn't XSS in itself, it's the possibility to send comments from a malicious website. However, (correct me if I'm mistaken) this should be solvable by identifying the referrer and denying the comment if it comes from another website, right?

comment:5 Linusmartensson7 years ago

To me, it looks like the problem here is that _wpnonce is missing on the comment forms, which is indeed a vulnerability.

comment:6 westi7 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

This is protected by a nonce check for any user with unfiltered html:

default-filters.php - Adds a nonce to the comment form: http://trac.wordpress.org/browser/tags/2.2/wp-includes/default-filters.php#L34

comment-template.php - nonce is added using this code:
http://trac.wordpress.org/browser/trunk/wp-includes/comment-template.php#L274

wp-comments-post.php - and nonce is checked here:
http://trac.wordpress.org/browser/tags/2.2/wp-comments-post.php#L38

This means that any comment post by the admin - or any other user with the unfiltered html capability must have a valid nonce or the comment is filtered as it would be for any other user using kses.

Therefore this report is invalid.

comment:7 follow-up: PsychoGun7 years ago

You are stupid.

This report is not invalid and you should test my proof of concept before to edit it. This vulnerability do work, and the only data which are really requiried are the "comment" and the "comment_post_ID".
WordPress just dose not care if the "_wp_unfiltered_html_comment" is not send, he does post de comment.
You should try my POC. I did it in all versions, and it works.

comment:8 PsychoGun7 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:9 PsychoGun7 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

comment:10 PsychoGun7 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:11 in reply to: ↑ 7 westi7 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

Replying to PsychoGun:

You are stupid.

This report is not invalid and you should test my proof of concept before to edit it. This vulnerability do work, and the only data which are really requiried are the "comment" and the "comment_post_ID".
WordPress just dose not care if the "_wp_unfiltered_html_comment" is not send, he does post de comment.
You should try my POC. I did it in all versions, and it works.

I have tested you POC.

The point is the comment may get posted _but_ the javascript is escaped and made safe so you are unable to inject javascript into the blog comments.

WordPress projects against this type of comment inject as I have described above.

comment:12 follow-up: PsychoGun7 years ago

The javascript IS NOT escpaded. I DID IT.
YOU DID NOT try my POC.

comment:14 in reply to: ↑ 12 westi7 years ago

Replying to PsychoGun:

The javascript IS NOT escpaded. I DID IT.
YOU DID NOT try my POC.

Yes I did.

As stated above I have tested with you proof of concept and it does not lead to unescaped html being posted.

comment:15 Nazgul7 years ago

I just tried you POC code on my 2.2 blog and the comment is posted, but the javascript is escaped.

I have to agree with westi.

comment:16 momo360modena7 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I have just tried... and the problem exists... if you are connected with an administrator account...

Thanks to leave this ticket open for this moment.

comment:17 technosailor7 years ago

This is not the place for this. security@… is. Instead of yelling and screaming like a spoiled baby, why don't you actually go demonstrate your proof of concept to the security people instead of throwing insults around at respected members of the development community.

comment:18 rob1n7 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.

If you don't want administrators to post <script> and the like, then remove their unfiltered_html capability using the Role Manager plugin.

comment:19 rob1n7 years ago

Oh, and PsychoGun, feel free to not return or stop acting like a spoiled brat.

comment:20 westi7 years ago

Replying to momo360modena:

I have just tried... and the problem exists... if you are connected with an administrator account...

Thanks to leave this ticket open for this moment.

Can you elaborate on what you tried and the outcome you observed.

As both Nazgul and myself have tested the POC and can see no exploitable issue.

comment:21 rob1n7 years ago

Trac is really missing the ability to "lock" a ticket.

comment:22 follow-up: momo360modena7 years ago

The explanation of rob1n is convenient for me ;)

Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.

comment:23 in reply to: ↑ 22 ; follow-up: westi7 years ago

Replying to momo360modena:

The explanation of rob1n is convenient for me ;)

Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.

Yes but that doesn't actually explain the fact that the POC does/doesn't work.

Yes a user with Unfiltered HTML can post javascript in a comment.

The POC claims this can be automated with a remote posting javascript - i.e. by visiting another site which does it with you stored cookies.

This is however blocked by the nonce check I described above

comment:24 ryan7 years ago

WP injects a nonce into the comment form if your theme's comments template issues do_action('comment_form', $post->ID). All comments templates should do this. If that action is missing, the nonce will be missing.

comment:25 ryan7 years ago

That wouldn't explain this though. A missing form nonce should mean that the comment is stripped.

comment:26 in reply to: ↑ 23 rob1n7 years ago

Replying to westi:

Replying to momo360modena:

The explanation of rob1n is convenient for me ;)

Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.

Yes but that doesn't actually explain the fact that the POC does/doesn't work.

Yes a user with Unfiltered HTML can post javascript in a comment.

The POC claims this can be automated with a remote posting javascript - i.e. by visiting another site which does it with you stored cookies.

This is however blocked by the nonce check I described above

I just thought you guys had iterated that point tons of times already in this ticket, so I didn't bother to mention it in that specific comment. It's on the [long] record, though ;).

comment:27 follow-up: Otto427 years ago

When were nonces added? Perhaps the version he's using is pre-nonce?

I certainly cannot reproduce with 2.1.anything.

comment:28 in reply to: ↑ 27 westi7 years ago

Replying to Otto42:

When were nonces added? Perhaps the version he's using is pre-nonce?

I certainly cannot reproduce with 2.1.anything.

The relavent ticket is #3973 which was fixed for 2.2 , 2.1.3, 2.0.10

Note: See TracTickets for help on using tickets.