WordPress.com permanent XSS Vulnerability

UPDATE: Drew Strojny, Vigilance theme creator ask me to hide the post until a he publish a fixed version. He did yesterday so I put this post online again.

Friday 3 I discovered XSS vulnerability into WordPress.com. A malicious attacker can insert Javascript into the "Alert Box" feature of theme Vigilance. it was a permanent XSS vulnerability that can be used to make a XSS worm around und WordPress.com or to spam all blogs with some kind of Russian or Chinese malicous links.

I send an email to WordPress.com support Saturday 4 knowing they about the vulnerability. They (well, Anthony) reply me asking about what king of Javascript I was able to insert:

Me@email.com T
Subject: [WordPress #282419]: General-I discover that I can insert javascript without p
Date: Sat, 04 Apr 2009 11:49:32 + 0000
From: "Anthony-WordPress.com" support@wordpress.com
Reply-T support@wordpress.com
Content-Type: text/plain; charset = "UTF-8 ″
Content-Transfer-Encoding: 8bit

Hi,

What specific javascript code did you enter?

Best,

Anthony

Automattic | WordPress.com

I answered with more specific technical detail:

In-Reply-T khkrik.hlo0f3@help.automattic.com
Date: Sat, 4 Apr 2009 13:52:13 + 0200
Delivered-T me@email.com
Subject: Re: [WordPress #282419]: General-I discover that I can insert javascript without pr
From: Pedro Laguna me@email.com
Support@wordpress.com T
Content-Type: multipart/mixed; boundary = 0016e6ddfed2d012cc0466b94bfd
Content-Type: text/plain; charset = UTF-8
Content-Transfer-Encoding: 7bit

I attach three pics. I try only some simple javascript, but I'm sure I'll be able to put anything there.

Pedro Laguna

The three pictures I send are these ones that demonstrate that I can insert anything I want:

Vigilance Options with some simple Javascript

This blog was XSSed !!!

The Javascript code without being filtered

After this email I started to think about how an edevil person cocould be do with this vulnerability. The first step is to determine how WordPress.com users can be affected. We have two kind of WordPress.com users:

The first target is easy. We can use AJAX to generate every HTTP connection we need so we can copy the XSS worm code into the Alert Box feature of blogs who have this theme activated:

POST/wp-admin/themes. php? Page = functions. php HTTP/1.1
Host: <blogname> .wordpress.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
V_pages_to_exclude = & V_background_css = Disabled
& V_background_color = dcdfc2 & V_border_color = d7dab9
& V_link_color = 772124 & V_hover_color = 58181b
& V_alertbox_state = On & V_alertbox_title = Title
& V_alertbox_content = Message
& Save = Save + changes & action = save

We will change the Message value to insert our Javascript code and change the state to On to display it in the front page.

The other group of users can host our edevil XSS code too. They need first to activate the Vigilance theme. It can be easily done with the following HTTP request:

GET/wp-admin/themes. php? Action = activate & template = pub % 2 Fvigilance & stylesheet = pub % 2 Fvigilance & _ wpnonce = a4c05c7d1d HTTP/1.1

As you can see its a GET request that can be achieve with a simple CSRF request. Really? No! They are using a _ wpnonce var to block this king of attacks. but it is not a problem when we are able to insert Javascript inside the domain because the cookie domain is defined as .wordpress.com. this means that we can generate an AJAX request to retrieve the wp-admin/themes. php page, extract the _ wpnonce value and generate a valid theme changing request.

OK, now we have the transmission part under control.... How we start all this mess? We can create a blog, with some proxy, fake mails, public AP, etc but this is not part of this post. the real interesting thing is that we can use Google to find new victims to our XSS worm. in the front page of Vigilance active theme blogs we can see the text "Theme: Vigilance by Jestro ". this text and some Google skills allow us to determine that at least 500,000 blogs are using this theme:

Some spam to these blogs with the URL of our XSS worm blog and the party start! But we need people visit the infected blogs. in this part we need some social engineering skills and tricks. as we can interact with all the admin interface of logged users we can also post into his blogs. we can write a post about the new theme (to incite people who reads blogs by RSS to go to the real blog)

As we can see the process to make a XSS worm is a bit complex and required some Javascript skills. in this case the anti-xss filter was not activated so we don't need to worry about evasion techniques.

Finally, at Monday 6, WordPress.com (Nick) contact me to give me the thanks to advise they about the vulnerability and confirming me that the vulnerability has been patched.

Me@email.com T
Subject: [WordPress #282419]: General-I discover that I can insert javascript without pr
Date: Mon, 06 Apr 2009 14:46:21 + 0000
Message-ID: <khop19.56t9h3@help.automattic.com>
From: "Nick-WordPress.com" support@wordpress.com
Reply-T support@wordpress.com

Hi,
Thanks for lew.us know about this! It's been patched up now so the JS can't be used.
-
Nick
Automattic | WordPress.com

Today I post it to public to warn people about the risk of XSS vulnerabilities and congratulate WordPress.com team for the quick response. Have a nice day!