Time spent: 4 hours spent in total
Objective: Find, analyze, recreate, and document three vulnerabilities affecting an old version of WordPress
- (Required) File Too Large XSS
- Summary:
The media upload section in Wordpress does not properly sanitize the name of the uploaded media, causing accesses to it to run arbitrary javascript.- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.7.5
- GIF Walkthrough:
- Steps to recreate:
- Create a file over 20MB in size
- Name it with an
<img src=a onerror=alert(1)>.jpgending. - Get an admin or anyone with media upload access to attempt to upload file.
- Script triggers on fail to upload.
- Affected source code:
- (Required) Unauthenticated XSS in Comment
- Summary:
The comment storage method has a limit of 64kb per comment. Exceeding this causes the HTML to corrupt, allowing for arbitrary javascript to be run through comments.
- Vulnerability types: XSS. Buffer Overflow
- Tested in version: 4.2
- Fixed in version: 4.2.1
- GIF Walkthrough:
- Steps to recreate:
- Construct a message over 64kb in size.
- Use
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>where the...[64 kb]..is replaced with the contents of the message over 64kb in size. - Post the payload as a comment anywhere on the wordpress site.
- Affected source code:
- (Required) YouTube embed XSS
- Summary:
The YouTube embed link is not properly sanitized, allowing for embedded YouTube links to run arbitrary javascript through the post.
- Vulnerability types: XSS via failed sanitization
- Tested in version: 4.2
- Fixed in version: 4.7.3
- GIF Walkthrough:
- Steps to recreate:
- Construct the embed src "http://youtube.com/embed/{VIDEO ID}\x3csvg onload=alert(1)\x3e"
- Put in a post the src above as an embed.
- Affected source code:
Only file of note is "LotsofAs.txt", which contained 82kb of "AAAA"
GIFs created with LiceCap.
If running Vagrant without opening VirtualBox in Administrator mode, Vagrant would fail and lose all connections to Ruby, which required reinstalling Vagrant to fix.
Copyright 2018 Noah
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.