Ticket #3515 (closed defect (bug): fixed)

Opened 5 years ago

Last modified 5 years ago

XSS through author's url in comments

Reported by: xknown Owned by: anonymous
Priority: high Milestone: 2.0.6
Component: Security Version: 2.0.5
Severity: major Keywords: has-patch
Cc:

Description

Due to bad validation of author's url value in comments, someone can easily inject javascript code in the href attribute:

You can try with this value in the author's url field: 

javascript:alert(document.cookie);v//://

To "exploit" this bug, as you can see, it needs user (logged) interaction

PS. Sorry for my bad English

Attachments

proto.diff Download (908 bytes) - added by andy 5 years ago.

Change History

comment:1   Viper007Bond5 years ago

  • Keywords xss, comments removed
  • Milestone changed from 2.2 to 2.0.6

andy5 years ago

comment:2   andy5 years ago

  • Keywords has-patch added

Attached proto.diff which forces clean_url through wp_kses_bad_protocol with the default protocol list. E.g. if "javascript:" is the protocol it will return an empty string rather than a "sanitized" URL.

This can be applied to 2.0 and trunk.

comment:3   ryan5 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [4672]) Add kses protocol checking to clean_url. Props Andy. fixes #3515

Note: See TracTickets for help on using tickets.