Project 7 - WordPress Pentesting

Time spent: 10 hours spent in total

Objective: Find, analyze, recreate, and document three vulnerabilities affecting an old version of WordPress

Pentesting Report

  1. XSS Vulnerability in Twenty Fifteeen Theme (CVE 2015-3429)

  1. Directory Traversal Vulnerabiltity when Deleting A Plugin
  • Summary:
    • Vulnerability types: Unauthorized Directory/Path travesal
    • Tested in version: 3.9.2
    • Fixed in version: 4.1.10
    • This vulnerability allows an individual to delete files not intended to be deleted. Deleting the wrong files could corrupt the entire system.
  • GIF Walkthrough:

  • Steps to recreate:
    • From the admin console, click on Plugins
    • From the plugins that appear, choose a plugin to delete and click "Delete"
    • In the address bar, replace the name of the plugin with '../../../'
    • In the main window, click on 'Click to view entire list of files which will be deleted'
    • We have successfully traversed to a separate directory
  • Affected source code:
  1. XSS vulnerability when attempting to upload very large files (CVE-2017-9061)
  • Summary:
    • Vulnerability types: XSS
    • Tested in version: 4.7.2
    • Fixed in version: 4.7.5
    • When uploading files greater than 2 MB, an attacker can insert a malicious script into the name of the file. After throwing an error for exceeding the maximum file size, Wordpress will immediately execute the malicious script.
  • GIF Walkthrough:

  • Steps to recreate:
    • On the local machine, create a file (png, gif, html) exceeding 2 MB.
    • In the name of the file append a malicious script to the desired name of the file. For example, create and save the file verymalicious123<img src="1" onerror=alert(1)>.gif"
    • Login to Wordpress admin console
    • From the admin console, hover over Media (in the left navbar) and click Add New
    • Upload malicious script from local machine
    • Wordpress will issue a warning about the file size being too large
    • Immediately after, the malicious script in the name of the uploaded file will execute. An alert dialog will appear.
    • We have successfully performed an XSS attack.
  • Affected source code:

Assets

No additional assets utilized.

Resources

GIFs created with LiceCap.

Notes

Describe any challenges encountered while doing the work

License

Copyright [2017] [Milan Bhatia]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.