3.5.1 DoS #219

Closed
ethicalhack3r opened this Issue Jun 11, 2013 · 10 comments

Comments

Projects
None yet
4 participants
Owner

ethicalhack3r commented Jun 11, 2013

Not tested yet - https://vndh.net/note:wordpress-351-denial-service

Will add to DB once reproduced.

Owner

erwanlr commented Jun 11, 2013

Tested, it works

BTW, the important thing is this : vulnerability is possible only when there is at least one password protected post on the blog.

Code modified:

hostname = '192.168.1.103'
wplogin = '/wordpress-3.5.1/wp-login.php'
posturl = '/wordpress-3.5.1/?p=35' # link to password protected post
Owner

FireFart commented Jun 11, 2013

Cool stuff!
But I have never seen a password protected post in the wild :D

Contributor

fgeek commented Jun 12, 2013

Please use CVE-2013-2173 for this issue.

Owner

ethicalhack3r commented Jun 13, 2013

Re-opened to see which older versions are also vulnerable, see #222

@ethicalhack3r ethicalhack3r reopened this Jun 13, 2013

Owner

ethicalhack3r commented Jun 25, 2013

In the patched version ( 3.5.2) they only changed one of the functions (post_password_required) and in that function they removed this line if ( empty( $wp_hasher ) ) { as well as adding some others.

$ find . -name post-template.php -print | xargs grep "if ( empty( \$wp_hasher ) ) {" --
./wordpress-34/wp-includes/post-template.php:   if ( empty( $wp_hasher ) ) {
./wordpress-341/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {
./wordpress-342/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {
./wordpress-35/wp-includes/post-template.php:   if ( empty( $wp_hasher ) ) {
./wordpress-351/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {

Without testing each version individually I think this is enough 'proof' that the above versions are vulnerable?

Owner

ethicalhack3r commented Jun 25, 2013

Apparently the vulnerability was introduced by the phpass library.

$ find . -name class-phpass.php
./wordpress-25/wp-includes/class-phpass.php
./wordpress-251/wp-includes/class-phpass.php
./wordpress-26/wp-includes/class-phpass.php
./wordpress-261/wp-includes/class-phpass.php
./wordpress-262/wp-includes/class-phpass.php
./wordpress-263/wp-includes/class-phpass.php
./wordpress-265/wp-includes/class-phpass.php
./wordpress-27/wp-includes/class-phpass.php
./wordpress-271/wp-includes/class-phpass.php
./wordpress-28/wp-includes/class-phpass.php
./wordpress-281/wp-includes/class-phpass.php
./wordpress-282/wp-includes/class-phpass.php
./wordpress-283/wp-includes/class-phpass.php
./wordpress-284/wp-includes/class-phpass.php
./wordpress-285/wp-includes/class-phpass.php
./wordpress-286/wp-includes/class-phpass.php
./wordpress-29/wp-includes/class-phpass.php
./wordpress-291/wp-includes/class-phpass.php
./wordpress-292/wp-includes/class-phpass.php
./wordpress-30/wp-includes/class-phpass.php
./wordpress-301/wp-includes/class-phpass.php
./wordpress-302/wp-includes/class-phpass.php
./wordpress-303/wp-includes/class-phpass.php
./wordpress-304/wp-includes/class-phpass.php
./wordpress-305/wp-includes/class-phpass.php
./wordpress-306/wp-includes/class-phpass.php
./wordpress-31/wp-includes/class-phpass.php
./wordpress-311/wp-includes/class-phpass.php
./wordpress-312/wp-includes/class-phpass.php
./wordpress-313/wp-includes/class-phpass.php
./wordpress-314/wp-includes/class-phpass.php
./wordpress-32/wp-includes/class-phpass.php
./wordpress-321/wp-includes/class-phpass.php
./wordpress-33/wp-includes/class-phpass.php
./wordpress-331/wp-includes/class-phpass.php
./wordpress-332/wp-includes/class-phpass.php
./wordpress-333/wp-includes/class-phpass.php
./wordpress-34/wp-includes/class-phpass.php
./wordpress-341/wp-includes/class-phpass.php
./wordpress-342/wp-includes/class-phpass.php
./wordpress-35/wp-includes/class-phpass.php
./wordpress-351/wp-includes/class-phpass.php
./wordpress-352/wp-includes/class-phpass.php
Owner

ethicalhack3r commented Jun 25, 2013

OK. Last update.

Vulnerable library was included in version 2.5 but wasn't used until version 3.4.

$ find . -name post-template.php -print | xargs grep "class-phpass.php" --
./wordpress-34/wp-includes/post-template.php:       require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-341/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-342/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-35/wp-includes/post-template.php:       require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-351/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-352/wp-includes/post-template.php:  require_once ABSPATH . 'wp-includes/class-phpass.php';
Owner

ethicalhack3r commented Jun 25, 2013

Take that back.

Was used since 2.5 in pluggable.php.

Owner

erwanlr commented Jun 25, 2013

Spammer :o

Owner

ethicalhack3r commented Jun 25, 2013

hehe, you love it! ;)

Final conclusion: Library was introduced in version 2.5 and was used in pluggable.php, wasn't used in post-template.php until version 3.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment