Ticket #4689 (closed enhancement: fixed)
Wordpress uploads.php Cross-Site Scripting Vulnerability
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | highest omg bbq | Milestone: | 2.2.2 |
| Component: | Security | Version: | 2.2.1 |
| Severity: | critical | Keywords: | has-patch |
| Cc: |
Description
In /upload.php the parameter style is prone to XSS Attacks when editing Temporary Uploads (they usually have a negative ID). An attack could look like this: /upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337
Patch: IDs should be integers $ID = (int) $ID; $post_id = (int) $post_id; *$style = preg_replace('/[A-Za-z]/', , $style);
add the line marked with the * to upload.php behind the $post_id one
Attachments
-
4689.diff
(798 bytes) -
added by Nazgul 5 years ago.
-
4689.002.diff
(826 bytes) -
added by markjaquith 5 years ago.
- int-case the ID
Change History
- Keywords has-patch added; needs-patch removed
- Owner changed from anonymous to Nazgul
- Status changed from new to assigned
Patch puts the needed attribute_escape in place and also put one around the nearby $post_id as an extra safeguard.
comment:3
markjaquith — 5 years ago
BenjaminFlesch, in the future, please submit security bugs to security@…
comment:4
markjaquith — 5 years ago
- Status changed from assigned to closed
- Resolution set to fixed
comment:5
markjaquith — 5 years ago
comment:6
markjaquith — 5 years ago
comment:7
markjaquith — 5 years ago
I assume 2.0.11 is not vulnerable as it does not have wp-admin/upload.php
comment:9
markjaquith — 5 years ago
I looked through the equivalent code and couldn't find the issue duplicated in 2.0.x
Confirmed on 2.2.1 and trunk.
Fix should be a putiing in a missing attribute_escape instead of the given regex (in my opinion).