Exploiting Admin Functionality in WordPress Using ClickJacking

hello all

it’s been a while after writing a post and you may know Abysssec  mostly write about application security but we are working on web apps too . in this post we are gonna talk about funny case of wordpress exploitation using ClickJacking technology. as you may know Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn’t dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

here is video of  PoC sorry for hosting we have some issue we will upload on abysssec soon  :

http://abysssec.com/files/WordPress_ClickJack.rar

WordPress is aware of unfiltered html with superadmin user but as you can see it’s still possible to exploit the issue .

we reported this so called issue to wordpress ~2 month ago

the answer we got is :

5/4/2012:
Thank you for the report. We're looking into this and will get back to you soon.
5/16/2012:
Sorry for the delayed reply. We've been discussing how best to do this without inconveniencing users.  At the moment we're considering adding the unfiltered_html nonce via JS when the page is not framed. I'll hopefully have a patch to share soon.

Thanks all

happy blogging !

Comments are closed.

Categories


Get Adobe Flash player