WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

1. Advisory Information

Title
WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures
Advisory ID
CORE-2009-0515
Advisory URL
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
Date published
2009-07-08
Date of last update
2009-07-08
Vendors contacted
WordPress
Release mode
Coordinated release
Authors
Fernando Arnaboldi and José Orlicki

2. Vulnerability Information

Class
Local file include, Privileges unchecked, Cross site scripting (XSS), Information disclosure
Remotely Exploitable
Yes
Locally Exploitable
No
Bugtraq ID
35581, 35584
CVE Name
CVE-2009-2334, CVE-2009-2335, CVE-2009-2336

3. Vulnerability Description

WordPress is a web application written in PHP that allows the easy installation of a flexible weblog on any computer connected to the Internet. WordPress 2.7 reached more than 6 million downloads during June 2009 [9].

A vulnerability was found in the way that WordPress handles some URL requests. This results in unprivileged users viewing the content of plugins configuration pages, and also in some plugins modifying plugin options and injecting JavaScript code. Arbitrary native code may be run by a malicious attacker if the blog administrator runs injected JavasScript code that edits blog PHP code. Many WordPress-powered blogs, hosted outside wordpress.com, allow any person to create unprivileged users called subscribers. Other sensitive username information disclosures were found in WordPress.

4. Vulnerable packages

5. Non-vulnerable packages

6. Vendor Information, Solutions and Workarounds

Mitigation for the Privileges Unchecked vulnerability (suggested by Core Security): this vulnerability may be mitigated by controlling access to files inside the wp-admin folder. Access can be prohibited by using Apache access control mechanism (.htaccess file), see guideline for more information [11].

7. Credits

These vulnerabilities were discovered and researched by Fernando Arnaboldi and José Orlicki from Core Security Technologies. Further research was made by Jose Orlicki from Core Security Technologies.

8. Technical Description / Proof of Concept Code

8.1. Introduction

In the last few years several security bugs were found in WordPress [1][2]. During 2008, the big amount of bugs reported by researchers lead to exploitation by blog spammers [3]. During 2009, a new round of attacks has appeared and security researchers are reporting new bugs or wrongly fixed previously-reported bugs [4][5]. A path traversal in local files included by admin.php has been fixed [6][7] but, in our case, we report that administrative privileges are still unchecked when accessing any PHP file inside a plugin folder.

8.2. Access Control Roles

WordPress has a privilege model where any user has an assigned role [8]. Regarding plugins only users characterized by the role Administrator can activate plugins. Notice that only the blog hosting owner can add new plugins because these must by copied inside the host filesystem. The roles Editor, Author or Subscriber (the latter has the least privileges) cannot activate plugins, edit plugins, update plugins nor delete plugins installed by an Administrator. Besides that, the configuration of specific plugins is a grey area because there is no distinguished capability assigned [8].

Also due to cross-site scripting vulnerabilities inside plugins options (something very common), non-administrative users reconfiguring plugins may inject persistent JavaScript code. Possibly arbitrary native code can be executed by the attacker if the blog administrator runs injected JavasScript code that injects PHP code. It is important to observe that many WordPress-powered blogs are configured to allow any blog visitor to create a Subscriber user without confirmation from the Administrator role inside the following URL, although by default the Administrator role must create these new users.

http://[some_wordpress_blog]/wp-login.php?action=register

This can be modified by the administrator in Membership/Anyone can register.
http://[some_wordpress_blog]/wp-admin/options-general.php

8.3. Privileges Unchecked in admin.php?page= Plugin Local File Includes (CVE-2009-2334, BID 35581)

No privileges are checked on WordPress plugins configuration PHP modules using parameter page when we replace options-general.php with admin.php. The same thing happens when replacing other modules such as plugins.php with admin.php. Basic information disclosure is done this way. For example, with the following URL a user with no privileges can see the configuration of plugin Collapsing Archives, if installed.

http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt

Instead of the following allowed URL.
http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt

Another example of this information disclosure is shown on Akismet, a plugin shipped by default with WordPress.
http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt

All plugins we have tested are vulnerable to this kind of information disclosure, but in many of them the PHP files accessed just crashed. On the other hand, for example, with capability import, privileges are checked inside admin.php:
if ( ! current_user_can('import') )
    wp_die(__('You are not allowed to import.'));

More dangerous scenarios exist, all of them can be exploited by users with the Subscriber role, the least privileged.

8.4. Abuse example: XSS in plugin configuration module

If installed, *Related Ways To Take Action* is an example of a WordPress plugin that is affected by many cross-site scripting vulnerabilities (XSS) that can be leveraged by an attacker using the unchecked privileges described in this advisory to inject persistent JavaScript code. Possibly, arbitrary native code can be executed by the attacker if the blog administrator, when he/she logs in, runs injected JavasScript code that edits blog PHP code. The original URL for reconfiguring the plugin can be accessed only by the Administrator role.

http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php

But replacing the PHP file with the generic admin.php any blog user can modify this configuration.
http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php

The following JavaScript injection can be entered within field *Exclude actions by term* to exemplify this kind of abuse. When the administrator enters the same page the injected browser code will be executed and possibly blog PHP can be modified to run arbitrary native code.
"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="
          

This is the worst scenario that we found for the vulnerability.

8.5. Abuse example: viewing WP Security Scanner Plugin Dashboard

If installed, the WordPress Security Scanner Plugin dashboard can be viewed similarly by any user besides the administrator using the plugin configuration page URL without modification. This dashboard includes common default blog configuration settings that are insecure and should be modified by the blog administrator or hosting.

http://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php

8.6. Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project

If installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be reconfigured accessed with the same vulnerability.

http://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php

This gives an attacker the possibility to disable many features of the plugin, for example reactivate the forgotten password feature and reactivate the XML-RPC blog interface. Also you can deny the weblog service by configuring this plugin to be overly sensitive, blocking any request. However the plugin cannot be totally disabled because the essential IDS parameters Maximum impact to ignore bad requests and Minimum impact to sanitize bad requests are verified on the server side of the blog and cannot be distorted to deactivate the sanitizing or blocking features of the web IDS plugin.

8.7. Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID 35584)

WordPress discriminates bad password from bad user logins, this reduces the complexity of a brute force attack on WordPress blogs login (CVE-2009-2335, BID 35584). The same user information disclosure happens when users use the forgotten mail interface to request a new password (CVE-2009-2336, same BID 35584). These information disclosures seem to be previously reported [6] but the WordPress team is refusing to modify them alleging *user convenience*.

Default installation of WordPress 2.7.1 leaks the name of the user posting entries inside the HTML of the blog.

  <small>June 3rd, 2009 <!-- by leakedusername --></small>

Also several administrative modules give to anyone the complete path where the web application is hosted inside the server. This may simplify or enable other malicious attacks. An example follows.

http://[some_wordpress_blog]/wp-settings.php

Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in [WP_LEAKED_PATH]wp-settings.php on line 110
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in [WP_LEAKED_PATH]wp-settings.php on line 112
Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: 
No such file or directory in [WP_LEAKED_PATH]wp-settings.php on line 246
Fatal error: require() [function.require]: Failed opening required 'ABSPATHwp-includes/compat.php' 
(include_path='.;[PHP_LEAKED_PATH]php5pear') in [WP_LEAKED_PATH]wp-settings.php on line 246
        

9. Report Timeline

10. References

[1] WordPress vulnerabilities in CVE database
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
[2] SecuriTeam List of WordPress Vulnerabilities
http://www.securiteam.com/products/W/Wordpress.html
[3] WordPress Vulnerability - YBO Interactive Blog
http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
http://wordpress.org/support/topic/280748
[5] Security breach - xkcd blog
http://blag.xkcd.com/2009/06/18/security-breach/
[6] securityvulns.com WordPress vulnerabilities digest in English
http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
[7] CVE-2008-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
[8] WordPress Roles and Capabilities
http://codex.wordpress.org/Roles_and_Capabilities
[9] WordPress Download Counter
http://wordpress.org/download/counter/
[10] WordPress Intrusion Detection System Plugin
http://php-ids.org/2008/02/21/wpids-version-012-released/
[11] Hardening WordPress with htaccess
http://blogsecurity.net/wordpress/article-210607

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.