Ticket #4811 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

CSRF & XSS on some importers

Reported by: xknown Owned by: anonymous
Priority: high Milestone: 2.3
Component: Security Version: 2.3
Severity: major Keywords: has-patch commit
Cc:

Description

On trunk, Ultimate Tag Warrior and Category to Tag Converter are vulnerable to CSRF and XSS.

Proof of Concepts

  1. CSRF: Convert all categories to tags without user confirmation.  http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&step=4

  1. XSS: Someone has commited code to debug wp-cat2tag converter: 
    echo '<!--'; print_r($_POST); print_r($_GET); echo '-->';
    It allows XSS attacks: 
    http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&--><script>alert(/XSS/)</script>

Attachments

importers.diff Download (2.6 KB) - added by xknown 4 years ago.
Avoid CSRF and XSS on some importers

Change History

xknown4 years ago

Avoid CSRF and XSS on some importers

comment:1   rob1n4 years ago

  • Keywords has-patch commit added
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Milestone set to 2.3

I'm partially to blame for the UTW importer (didn't check it over before committing) and wholly to blame for the second one (bad coding).

+2 to the patch.

comment:2   ryan4 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [5941]) Add nonces to tag importers. Props xknown. fixes #4811

Note: See TracTickets for help on using tickets.