Opened 14 years ago
Closed 14 years ago
#16089 closed defect (bug) (wontfix)
Cross-site Scripting Vulnerability in /wp-admin/setup-config
Reported by: | danielmiessler | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | critical | Version: | 3.1 |
Component: | General | Keywords: | has-patch |
Focuses: | Cc: |
Description
There appears to be a vulnerability in the setup-config file whereby a user can submit script to the dbhost parameter and have it echoed back by WordPress. I have attached an image for your review.
Attachments (2)
Change History (11)
#1
@
14 years ago
- Milestone changed from Awaiting Review to 3.1
Too late now, but things like this should be reported to security@….
#2
follow-up:
↓ 5
@
14 years ago
I think I followed the correct procedure.
I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.
#5
in reply to:
↑ 2
@
14 years ago
Replying to danielmiessler:
I think I followed the correct procedure.
No, you didn't.
I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.
The page that comes up from that search (http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting security issues" section that refers you to the Security FAQ page (http://codex.wordpress.org/Security_FAQ). This section reminds you to notify the vendor (the WordPress core team) privately rather than publicly about exploits, and the Security FAQ page provides the actual contact information.
It is bad practice to report security vulnerabilities in public. We need time to patch the issue and provide an update to users before anyone who would exploit the vulnerability gets a hold of it.
#6
in reply to:
↑ 4
@
14 years ago
Replying to SergeyBiryukov:
Patch looks good. Clear, obvious fix.
#7
follow-up:
↓ 8
@
14 years ago
We're protecting against someone purposefully injecting XSS into their config during setup? Why bother?
Screenshot of XSS