Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.5.1 DoS #219

Closed
ethicalhack3r opened this issue Jun 11, 2013 · 10 comments
Closed

3.5.1 DoS #219

ethicalhack3r opened this issue Jun 11, 2013 · 10 comments

Comments

@ethicalhack3r
Copy link
Contributor

Not tested yet - https://vndh.net/note:wordpress-351-denial-service

Will add to DB once reproduced.

@erwanlr
Copy link
Member

erwanlr commented Jun 11, 2013

Tested, it works

BTW, the important thing is this : vulnerability is possible only when there is at least one password protected post on the blog.

Code modified:

hostname = '192.168.1.103'
wplogin = '/wordpress-3.5.1/wp-login.php'
posturl = '/wordpress-3.5.1/?p=35' # link to password protected post

@firefart
Copy link
Contributor

Cool stuff!
But I have never seen a password protected post in the wild :D

@fgeek
Copy link
Contributor

fgeek commented Jun 12, 2013

Please use CVE-2013-2173 for this issue.

@ethicalhack3r
Copy link
Contributor Author

Re-opened to see which older versions are also vulnerable, see #222

@ethicalhack3r ethicalhack3r reopened this Jun 13, 2013
@ethicalhack3r
Copy link
Contributor Author

In the patched version ( 3.5.2) they only changed one of the functions (post_password_required) and in that function they removed this line if ( empty( $wp_hasher ) ) { as well as adding some others.

$ find . -name post-template.php -print | xargs grep "if ( empty( \$wp_hasher ) ) {" --
./wordpress-34/wp-includes/post-template.php:   if ( empty( $wp_hasher ) ) {
./wordpress-341/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {
./wordpress-342/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {
./wordpress-35/wp-includes/post-template.php:   if ( empty( $wp_hasher ) ) {
./wordpress-351/wp-includes/post-template.php:  if ( empty( $wp_hasher ) ) {

Without testing each version individually I think this is enough 'proof' that the above versions are vulnerable?

@ethicalhack3r
Copy link
Contributor Author

Apparently the vulnerability was introduced by the phpass library.

$ find . -name class-phpass.php
./wordpress-25/wp-includes/class-phpass.php
./wordpress-251/wp-includes/class-phpass.php
./wordpress-26/wp-includes/class-phpass.php
./wordpress-261/wp-includes/class-phpass.php
./wordpress-262/wp-includes/class-phpass.php
./wordpress-263/wp-includes/class-phpass.php
./wordpress-265/wp-includes/class-phpass.php
./wordpress-27/wp-includes/class-phpass.php
./wordpress-271/wp-includes/class-phpass.php
./wordpress-28/wp-includes/class-phpass.php
./wordpress-281/wp-includes/class-phpass.php
./wordpress-282/wp-includes/class-phpass.php
./wordpress-283/wp-includes/class-phpass.php
./wordpress-284/wp-includes/class-phpass.php
./wordpress-285/wp-includes/class-phpass.php
./wordpress-286/wp-includes/class-phpass.php
./wordpress-29/wp-includes/class-phpass.php
./wordpress-291/wp-includes/class-phpass.php
./wordpress-292/wp-includes/class-phpass.php
./wordpress-30/wp-includes/class-phpass.php
./wordpress-301/wp-includes/class-phpass.php
./wordpress-302/wp-includes/class-phpass.php
./wordpress-303/wp-includes/class-phpass.php
./wordpress-304/wp-includes/class-phpass.php
./wordpress-305/wp-includes/class-phpass.php
./wordpress-306/wp-includes/class-phpass.php
./wordpress-31/wp-includes/class-phpass.php
./wordpress-311/wp-includes/class-phpass.php
./wordpress-312/wp-includes/class-phpass.php
./wordpress-313/wp-includes/class-phpass.php
./wordpress-314/wp-includes/class-phpass.php
./wordpress-32/wp-includes/class-phpass.php
./wordpress-321/wp-includes/class-phpass.php
./wordpress-33/wp-includes/class-phpass.php
./wordpress-331/wp-includes/class-phpass.php
./wordpress-332/wp-includes/class-phpass.php
./wordpress-333/wp-includes/class-phpass.php
./wordpress-34/wp-includes/class-phpass.php
./wordpress-341/wp-includes/class-phpass.php
./wordpress-342/wp-includes/class-phpass.php
./wordpress-35/wp-includes/class-phpass.php
./wordpress-351/wp-includes/class-phpass.php
./wordpress-352/wp-includes/class-phpass.php

@ethicalhack3r
Copy link
Contributor Author

OK. Last update.

Vulnerable library was included in version 2.5 but wasn't used until version 3.4.

$ find . -name post-template.php -print | xargs grep "class-phpass.php" --
./wordpress-34/wp-includes/post-template.php:       require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-341/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-342/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-35/wp-includes/post-template.php:       require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-351/wp-includes/post-template.php:      require_once( ABSPATH . 'wp-includes/class-phpass.php');
./wordpress-352/wp-includes/post-template.php:  require_once ABSPATH . 'wp-includes/class-phpass.php';

@ethicalhack3r
Copy link
Contributor Author

Take that back.

Was used since 2.5 in pluggable.php.

@erwanlr
Copy link
Member

erwanlr commented Jun 25, 2013

Spammer :o

@ethicalhack3r
Copy link
Contributor Author

hehe, you love it! ;)

Final conclusion: Library was introduced in version 2.5 and was used in pluggable.php, wasn't used in post-template.php until version 3.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants