Ticket #4012 (closed defect (bug): fixed)
XSS on page-new.php
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | highest omg bbq | Milestone: | 2.0.10 |
| Component: | Security | Version: | 2.1.2 |
| Severity: | normal | Keywords: | 2nd-opinion dev-feedback |
| Cc: | charleshooper |
Description
Someone posted on sla.cker.org forums a new XSS vulnerability that affects all versions, including the trunk.
Attachments
-
link-template.diff
(305 bytes) -
added by xknown 5 years ago.
- Cast to int page id
Change History
-
attachment
link-template.diff
added
The given PoC is: http://wp/wp-admin/page-new.php?saved="><script>alert(123)</script>
PS. The patch is only for the trunk
- Status changed from new to closed
- Resolution set to fixed
comment:4
charleshooper — 5 years ago
- Cc charleshooper added
- Keywords 2nd-opinion dev-feedback added
- Status changed from closed to reopened
- Resolution fixed deleted
Not to step on any toes as I understand this is a high priority item, however is casting to int adequate? I'm referring to the fact that wp_posts.ID is a BIGINT-sized column and the maximum size integer on 32-bit systems is 2,147,483,647. Not that I think many people out there have over 2 billion posts, but I feel that if we impose a limit (by casting a variable to int) then we should update the schema accordingly. Think of it as a SQL optimization if you must.
comment:5
charleshooper — 5 years ago
- Status changed from reopened to closed
- Resolution set to fixed
I just took a look at the schema and also noticed that other tables create their relative post_ID fields as INT(11), I'll close this again and open another ticket as they are separate issues.
- Status changed from closed to reopened
- Resolution fixed deleted
- Milestone changed from 2.1.3 to 2.0.10
Reopening for 2.0 inclusion.
Cast to int page id