Kaizeku Ban » vulnerability

Workaround for Google Chrome Automatic file download vulnerability

Avice — Thu, 18 Sep 2008 06:26:55 +0000

Just after recent controversial privacy issue with Google Chrome browser there is old Webkit vulnerability haunting this new slick Google browser. There no official patch from the Chromium developer yet but it seem like bugs inheritance is something you should be aware of. Because Google Chrome browser is partially a Safari 3.1 with different architecture without JavascriptCore (script parse with Google open source javascript V8 Engine).

Current Chrome (beta) is based on WebKit 525.13 (Safari 3.1) rendering engine and introduces many of features inspired/taken from different modern browser (including some vulnerabilities). Theoretically any previous vulnerability in AppleWebkit/Safari 3.1 is shared by Chrome users.

Workaround for Google Chrome Carpet Bombing vulnerability

As expected from previous Safari ticket on this vulnerabilty, both Safari & Chrome developer label this as non vulnerability threat so there no fixes/patch (aka WontFix) for this particular issue. Blame it on interface design.

The below guide is simple workaround for Chrome Carpet Bombing vulnerability (#897 : Automatic file download without confirmation possible) . Basically just disabled the auto save file to desktop by default.

Click on the “Tools wrench icon” and select Options.
On the Options windows select the “Minor Tweaks” tab.
Then checked the “Ask where to save each file before downloading” check box.
Close the options windows. end

Chromium team should enabled the above options by default. That would prevent malicious attack. It’s not very exciting to see all of this happening within short time periods.

Wordpress "Press This" Multiple XSS Vulnerability

Avice — Fri, 01 Aug 2008 03:16:18 +0000

WordPress Press this (WP 2.6) features is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. The issue can be found at Wordpress trac #7220

POC

*/wp-admin/press-this.php/?ajax=video&s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
*/wp-admin/press-this.php/?ajax=thickbox&i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Patch

the latest patch #8320 (07/09/08 19:51:53) by Ryan

goro spam injection patch

Avice — Sat, 14 Jun 2008 18:58:51 +0000

Since early 2007 I been monitoring this famous WordPress spam injection that only target high PR wordpress blogs like Al gore, blake ross, bluehost CEO to name a few.

PHP create_function()

The new variant from wordpress.net.in & qwetro.com used the “anonymous PHP create_function” to append their spam links on their victim blog. Below is quick patch to disabled the mischievous “create_function” injection on wp_head.

The below code will look for “�lambda_n” function inside wp_head wp_filters array and remove the action hook silently. I assume that any sane developer will never used this unstable PHP function.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

note: This method only disabled the spam link from showing on your blog header. it wont fixed your blog vulnerabilities. your blog still owned thought. Tips → http://wordpress.org/download/

Download

Note: There is a file embedded within this post, please visit this post to download the file.

Co-Founder of Mozilla Project

Avice — Thu, 28 Feb 2008 19:46:07 +0000

Blake Ross WordPress blog is being run by wordpress.net.in goro spam injection.

Who's Blake Ross

Excerpt from wikipedia

Blake Aaron Ross is a software developer who is known for his work on the Mozilla web browser; in particular, he started the Mozilla Firefox project with Dave Hyatt, as well as the Spread Firefox project with Asa Dotzler while working as a contractor at the Mozilla Foundation.In 2005, he was nominated for Wired magazine’s top Rave Award, Renegade of the Year, opposite Larry Page, Sergey Brin and Jon Stewart. He was also a part of Rolling Stone magazine’s 2005 hot list.

Image Source, The cover for issue #13.02 (the February 2005 edition) of Wired magazine featuring Blake Ross holding a Firefox globe as part of the lead article, The Firefox Explosion, about the browser’s development history.

HTML Source & ScreenGrab

WordPress Vulnerability

Outdated WordPress
- WordPress 2.0.4 Exploit & Vulnerability
  - Blake’s is running on WordPress 2.0.4 first release on Jul 29th, 2006.
  - wp-db-backup.php directory traversal Rev.4226
  - Mark Jaquith on WordPress 2.0.5 Changelog
- µ Proxy Cached: blakeross.com WordPress Version (feed)

WordPress Core Directory & Plugins Informations Leak

View blakeross.com WordPress Core Directory Listing

Index of /wp-includes

 Name Last modified Size Description

[DIR] Parent Directory 25-Dec-2006 01:14 -
[ ] cache.php 03-Sep-2006 23:52 11k
[ ] capabilities.php 03-Sep-2006 23:52 11k
[ ] class-IXR.php 03-Sep-2006 23:52 27k
[ ] class-pop3.php 03-Sep-2006 23:52 21k
[ ] class-snoopy.php 03-Sep-2006 23:52 37k
[ ] classes.php 03-Sep-2006 23:52 51k
[ ] comment-functions.php 03-Sep-2006 23:52 31k
[ ] default-filters.php 03-Sep-2006 23:52 5k
[ ] feed-functions.php 03-Sep-2006 23:52 4k
[ ] functions-compat.php 03-Sep-2006 23:52 3k
[ ] functions-formatting..> 03-Sep-2006 23:53 34k
[ ] functions-post.php 03-Sep-2006 23:53 30k
[ ] functions.php 03-Sep-2006 23:53 71k
[ ] gettext.php 03-Sep-2006 23:53 11k
[DIR] images/ 03-Sep-2006 23:50 -
[DIR] js/ 03-Sep-2006 23:55 -
[ ] kses.php 03-Sep-2006 23:55 22k
[ ] links.php 03-Sep-2006 23:55 20k
[ ] locale.php 03-Sep-2006 23:55 3k
[ ] pluggable-functions.php 03-Sep-2006 23:55 17k
[ ] registration-functio..> 03-Sep-2006 23:55 4k
[ ] rss-functions.php 03-Sep-2006 23:55 21k
[ ] streams.php 03-Sep-2006 23:55 4k
[ ] template-functions-a..> 03-Sep-2006 23:55 5k
[ ] template-functions-c..> 03-Sep-2006 23:56 13k
[ ] template-functions-g..> 03-Sep-2006 23:56 21k
[ ] template-functions-l..> 03-Sep-2006 23:56 15k
[ ] template-functions-p..> 03-Sep-2006 23:56 15k
[ ] template-loader.php 03-Sep-2006 23:56 2k
[ ] vars.php 03-Sep-2006 23:56 3k
[ ] version.php 03-Sep-2006 23:56 1k
[ ] wp-db.php 03-Sep-2006 23:56 10k
[ ] wp-l10n.php 03-Sep-2006 23:56 2k 

Apache/1.3.39 Server at blakeross.com Port 80

µ Proxy Cached: http://blakeross.com/wp-includes/

View blakeross.com WordPress Plugins Directory Listing

Index of /wp-content/plugins

 Name Last modified Size Description

[DIR] Parent Directory 27-Sep-2006 22:27 -
[DIR] akismet/ 03-Sep-2006 23:52 -
[ ] hello.php 03-Sep-2006 23:52 2k
[ ] wp-db-backup.php 03-Sep-2006 23:52 30k 

Apache/1.3.39 Server at blakeross.com Port 80

µ Proxy Cached: http://blakeross.com/wp-content/plugins

Hardening Wordpress?

There is 105,000 WordPress blogs leaking their plugins informations for BotNet to scan.

Blackhat SEO targeting High PR WordPress Blog

Blake Ross is not alone, there is similar Spamride cases for the past few months. Below is are few “High PR WordPress Blogs” with similar issues.

Others Popular Victim

Al Gore’s Blog
Bluehost Hostmonster CEO’s Blog
blog.indeed.com
thinkingphp.org
floaridablog.org