Kaizeku Ban » security http://blog.kaizeku.com So many evil plans, so little time... Wed, 19 Nov 2008 01:02:00 +0000 http://wordpress.org/?v=2.7-beta2 en hourly 1 Wordpress "Press This" Multiple XSS Vulnerability http://blog.kaizeku.com/wordpress/wordpress-26-press-this-multiple-xss-vulnerability/ http://blog.kaizeku.com/wordpress/wordpress-26-press-this-multiple-xss-vulnerability/#comments Fri, 01 Aug 2008 03:16:18 +0000 Avice http://blog.kaizeku.com/?p=219 XSS VulnerabilityWordPress Press this (WP 2.6) features is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. The issue can be found at Wordpress trac #7220

POC

*/wp-admin/press-this.php/?ajax=video&s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
*/wp-admin/press-this.php/?ajax=thickbox&i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Patch

the latest patch #8320 (07/09/08 19:51:53) by Ryan

]]> http://blog.kaizeku.com/wordpress/wordpress-26-press-this-multiple-xss-vulnerability/feed/ goro spam injection patch http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/ http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/#comments Sat, 14 Jun 2008 18:58:51 +0000 Avice http://blog.kaizeku.com/?p=168 goro spam injectionSince early 2007 I been monitoring this famous WordPress spam injection that only target high PR wordpress blogs like Al gore, blake ross, bluehost CEO to name a few.

PHP create_function()

The new variant from wordpress.net.in & qwetro.com used the “anonymous PHP create_function” to append their spam links on their victim blog. Below is quick patch to disabled the mischievous “create_function” injection on wp_head.

The below code will look for “�lambda_n” function inside wp_head wp_filters array and remove the action hook silently. I assume that any sane developer will never used this unstable PHP function.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

note: This method only disabled the spam link from showing on your blog header. it wont fixed your blog vulnerabilities. your blog still owned thought. Tips → http://wordpress.org/download/

Download

  • Note: There is a file embedded within this post, please visit this post to download the file.
Related Articles
]]> http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/feed/