Advisory	: WordPress PHP_SELF Variable Handling XSS Vulnerability

Author		: Alexander Concha <alex@buayacorp.com>
Application	: WordPress (< 2.0.10 RC2, < 2.1.3 RC2)
Severity	: PHP_SELF variable is not properly sanitized before output and 
		it can be used to conduct an XSS attack over the Wordpress's CSRF protection.
		This flaw might result in the execution of arbitrary PHP 
		code and other derived problems of XSS vulnerabilities.              
              
Introduction
------------
WordPress is a state-of-the-art semantic personal publishing platform 
with a focus on aesthetics, web standards, and usability.

http://wordpress.org/

Description
-----------
Wordpress does not sanitize PHP_SELF variable, so this value can be tricked to conduct
XSS attacks and bypass the CSRF protection that is used in the administration interface.

wp-admin/vars.php:

	if ( preg_match('#([^/]+\.php)$#', $PHP_SELF, $self_matches) ) {
		$pagenow = $self_matches[1];
	}

wp-admin/functions.php (wp_nonce_ays function):

	$html .= "\t<form method='post' action='$pagenow'>\n";

From the code snippets, if $PHP_SELF has the following value:
index.php/'><img src=a onerror=alert(1)><.php

The html sent to the browser would be something like:
<form method='post' action=''><img src=a onerror=alert(1)><>

This behaviour is pretty dangerous because the onerror event handler can submit
automatically the form and do any action that the logged user is allowed to.

Proof of Concept
----------------
A successful attack would require that the logged user has write capabilities
over theme files, also the attacker must know the current theme of the target site.

The following PoC overrides the content of index.php in the default theme:
http://www.buayacorp.com/files/wordpress/wordpress-theme-exploit.txt

Solution
--------
Upgrade to 2.0.10-RC2 or 2.1.3-RC2

Disclosure Timeline
-------------------
03/08/2007 - Bug found
03/15/2007 - Vendor contact
03/16/2007 - Wordpress 2.0.10-RC2 and 2.1.3-RC2 releases
03/17/2007 - Public Disclosure

Credits
-------
This vulnerability was discovered by Alexander Concha, at the same time
it also has been reported on sla.ckers.org forums[1] by Jungsonn[2]

	Alexander Concha <alex@buayacorp.com>
	http://www.buayacorp.com
	Cusco - Perú
    
[1] http://sla.ckers.org/forum/read.php?2,7935#msg-8006
[2] http://www.jungsonnstudios.com/blog/