Ticket #3986 (closed defect (bug): fixed)

Opened 5 years ago

Last modified 5 years ago

XSS in wp_nonce_ays

Reported by: xknown Owned by: anonymous
Priority: highest omg bbq Milestone: 2.0.10
Component: Security Version: 2.0.9
Severity: normal Keywords: has-patch
Cc:

Description

There's a small XSS vulnerability in wp_nonce_ays that requires user intervention, attribute_escape is useless when _wp_http_referer contains something like javascript:alert("XSS").

PoC (click "No"):  http://wp/wp-admin/plugins.php?action=activate&plugin=akismet/akismet.php&_wp_http_referer=javascript:alert(%22XSS%22)

Attachments

functions.diff Download (436 bytes) - added by xknown 5 years ago.
Proposed fix
clean_url-admin_a-l.diff Download (7.7 KB) - added by ryan 5 years ago.
Use clean_url where approproate. Admin files A - L.
trunk_wp-admin_m-z.diff Download (4.8 KB) - added by markjaquith 5 years ago.
trunk/wp-admin/ (m-z)
trunk_wp-includes_m-z.diff Download (700 bytes) - added by markjaquith 5 years ago.
trunk/wp-includes/ (m-z)
clean_url-includes_a-l.diff Download (5.1 KB) - added by ryan 5 years ago.
clean_url() for wp-includes A - L
trunk_inclusive.diff Download (18.7 KB) - added by markjaquith 5 years ago.
trunk/
2.1_inclusive.diff Download (19.1 KB) - added by markjaquith 5 years ago.
branches/2.1/ patch
2.0_inclusive.diff Download (5.7 KB) - added by markjaquith 5 years ago.
branches/2.0/ patch

Change History

xknown5 years ago

Proposed fix

ryan5 years ago

Use clean_url where approproate. Admin files A - L.

markjaquith5 years ago

trunk/wp-admin/ (m-z)

markjaquith5 years ago

trunk/wp-includes/ (m-z)

ryan5 years ago

clean_url() for wp-includes A - L

comment:1   Nazgul5 years ago

  • Keywords has-patch added
  • Priority changed from low to highest omg bbq

The given PoC didn't work for me out of the box, but with some fiddling I got it to work.

2.0.x, 2.1.x and trunk are all vulnerable.

The given patch takes the sting out of the attack on my tests.

Also please note that the attached patch was made from the wp-includes directory and not from the root.

comment:2   Nazgul5 years ago

Guess I was typing too slow. :)

markjaquith5 years ago

trunk/

comment:3   ryan5 years ago

We're using clean_url instead of attribute_escape for content that goes in an href or src.

markjaquith5 years ago

branches/2.1/ patch

comment:4   markjaquith5 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [5056]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

comment:5   markjaquith5 years ago

(In [5057]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

markjaquith5 years ago

branches/2.0/ patch

comment:6   markjaquith5 years ago

(In [5058]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

comment:7   Nazgul5 years ago

  • Version changed from 2.1.2 to 2.0.9
  • Milestone changed from 2.1.3 to 2.0.10
Note: See TracTickets for help on using tickets.