WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

Keep on Guard!

So this is an interesting announcement due to the discussion points it brings up about responsible disclosure, it seems like in this case a researcher published his findings about a WordPress critical zero-day vulnerability without informing WordPress before hand.

WordPress Critical Zero-Day Vulnerability Fixed In A Hurry

And they got it fixed REAL quickly, where as in a previous (pretty similar) case – they took 14 months to fix it, leaving their users at risk for that period.

WordPress 4.2.1 was released on Monday to address a critical zero-day vulnerability disclosed on Sunday by Finnish researcher Jouko Pynnönen of Klikki Oy. The expert published the details of the security bug without notifying WordPress because he was displeased with the way developers handled his recent vulnerability reports.

The stored cross-site scripting (XSS) vulnerability disclosed by Pynnonen is similar to a flaw discovered by Belgian researcher Cedric Van Bockhaven, which WordPress fixed last week with the release of version 4.1.2, more than a year after it was reported. The bug, which affects WordPress 4.2 and earlier, can be exploited by an unauthenticated attacker to execute arbitrary code via very long comments that get truncated when they’re saved into the database.

“The attacker is sending fragments of HTML code to the server that contains JavaScript in it. WordPress tries to verify the content, but misses the embedded script. This specific exploit is because the attacker sends very long content – over 64Kb, which is truncated in the database,” Jeff Williams, CTO of Contrast Security, explained via email. “[When] WordPress sends that data back to the browser as part of a webpage, the script executes.”

“That would be enough for an interesting attack, but this particular exploit goes further. When the attack is executed on an administrator, it uses the administrative privilege to install plugins and execute content directly on the server. Most XSS problems are not exploitable in a way that allows a complete remote host takeover,” Williams added.

This is a pretty clever bug, and pretty dangerous too as when a comment is viewed by someone logged in as admin – the site can basically be hijacked totally.

For an XSS attack – this is pretty serious.

The comment truncation flaw reported by Van Bockhaven was addressed by WordPress only after 14 months. However, Pynnonen’s approach forced the WordPress team to release a patch within hours.

Before the fix was released, website owners running a self-hosted version of WordPress were advised to install the Askimet anti-spam plugin in order to protect themselves against potential attacks.

Pynnonen said he decided not to notify WordPress before making the vulnerability public because a different stored XSS flaw that he reported in November is still unpatched. His attempts to obtain information from WordPress on the status of a patch were unsuccessful, even after he tried contacting developers via HackerOne and CERT Finland (CERT-FI).

Furthermore, WordPress last year promised the researcher a minimum bounty of $2,000 for responsibly disclosing a critical bug affecting WordPress versions prior to 4.0, but they only awarded him $100.

“I don’t think it’s my job to spend months begging for the security team to communicate with me about security vulnerabilities. It’s their job and responsibility to communicate with researchers who try to help them and their customers. And if they ‘pro-actively’ and spontaneously offer me a bug bounty, I think it would be appropriate for them to keep their word,” Pynnonen told SecurityWeek. “I’m sure many people think the disclosure was irresponsible. But instead of months or years, the fix was produced in a few hours. During this time users were aware of the threat and could take precautions.”

Williams believes WordPress is to blame for incidents like this one.

Their Bug Bounty payouts seem pretty lame too, which doesn’t really encourage researchers and vulnerability developers to follow the path of responsible disclosure.

Compound that with their tardy reaction to serious bugs, and you get frustrated bug-hunters – like Jouko Pynnönen in this case.

Source: SecurityWeek

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,

Latest Posts:

GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.
Memcached DDoS Attacks Will Be BIG In 2018 Memcached DDoS Attacks Will Be BIG In 2018
So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.
libsodium - Easy-to-use Software Library For Encryption libsodium – Easy-to-use Software Library For Encryption
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API.
XSStrike - Advanced XSS Fuzzer & Exploitation Suite XSStrike – Advanced XSS Fuzzer & Exploitation Suite
XSStrike is an advanced XSS detection suite, which contains a powerful XSS fuzzer and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads.

Comments are closed.