Archive for January, 2008
Democracy 2.0.1 HTML Injection Vulnerability
Intro
Democracy is a popular AJAX driven voting plugin for WordPress.
BlogSecurity found a vulnerability in the latest version of Democracy (2.0.1) that may allow attackers to hijack your admin/user accounts as well as a vast number of other attack vectors.
Proof of concept (test your blog):
http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7)
OR
http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE)
This proof of concept [...]
bs-wp-sandbox v1.2 released
The main changes in this version are to make it easier to use and to permit comments and post previews by default. Also, when a blacklisted page is requested bs-wp-sandbox will redirect the client to “http://yourblog/”. Now you can change the BLOGNAME variable at the top of the file to redirect the client where you [...]
Defeating Audio Captcha Systems
Jose Palazon, sent us an advisory he wrote which allows defeating of a WordPress antispam plugin named, "Peter’s Math AntiSpam spinoff".
I think this is one of the first practical audio captcha hacks I’ve seen. Very cool actually, nice one Jose.
Now, back to the details…
Here’s another spin-off of Peter’s Custom Anti-Spam Image for WordPress that will [...]
wp-scanner back online
wp-scanner is back online. We are in the process of moving wp-scanner to become part of a larger, cooler project. We had emails flooding in, so we’ve gotten it back up… please let us know if you run into any bugs.
WP-Filemanager <=1.2 — Arbitrary File Upload
The H-T Team have reported a vulnerability in WP-Filemanager.
***No proof of concept available***
The vulnerability is suppose to affect version 1.2. It may also affect earlier versions (in fact, this is likely). It is possible for an Attacker to upload Arbitrary PHP-Code, which can afterwards be executed with Webserver rights.
Currently there’s no vendor fix available. BlogSecurity [...]
