id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
3973,"XSRF,XSS security hole for users with unfiltered_html capability",markjaquith,markjaquith,"As reported at:

http://www.virtuax.be/advisories/Advisory4-20022007.txt

Users with the {{{unfiltered_html}}} capability get to skip KSES stripping of harmful HTML markup.  An XSRF attack can be used to trick these users into submitting comments with harmful XSS-laden markup.

Attached patch is a first stab at a solution for trunk, 2.0.x and 2.1.x

The patch alters {{{wp_nonce_field()}}} so that the form {{{name}}} can be specified.  For users with {{{unfiltered_html}}} the {{{comment_form}}} hook is used to use {{{wp_nonce_field}}} to inject a hidden nonced field, using a special {{{name}}}.

On comment submit, users with {{{unfiltered_html}}} have this nonce checked.  If the nonce check fails, KSES silently reverts to normal non-{{{unfiltered_html}}} operation, zapping any XSS-esque content and rendering the attack useless.  This silent fallback is used so that themes without the {{{comment_form}}} hook don't block {{{unfiltered_html}}}-capable comments... they just sanitize them more closely than they would if the theme supported the {{{comment_form}}} hook.

Triple milestone:  2.2 (trunk), 2.1.3, 2.0.10

Trunk has been tested with this patch, and 2.1.x applied cleanly.  2.0.x has not yet been tested.",defect (bug),closed,highest omg bbq,2.0.10,Security,2.1.2,critical,fixed,comment nonce form security XSS XSRF,