Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#16089 closed defect (bug) (wontfix)

Cross-site Scripting Vulnerability in /wp-admin/setup-config

Reported by: danielmiessler's profile danielmiessler Owned by:
Milestone: Priority: normal
Severity: critical Version: 3.1
Component: General Keywords: has-patch
Focuses: Cc:

Description

There appears to be a vulnerability in the setup-config file whereby a user can submit script to the dbhost parameter and have it echoed back by WordPress. I have attached an image for your review.

Attachments (2)

xssscreenshot.png (189.2 KB) - added by danielmiessler 14 years ago.
Screenshot of XSS
16089.patch (871 bytes) - added by SergeyBiryukov 14 years ago.

Download all attachments as: .zip

Change History (11)

@danielmiessler
14 years ago

Screenshot of XSS

#1 @nacin
14 years ago

  • Milestone changed from Awaiting Review to 3.1

Too late now, but things like this should be reported to security@….

#2 follow-up: @danielmiessler
14 years ago

I think I followed the correct procedure.

I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.

#3 @danielmiessler
14 years ago

Also, this should be 3.0.4 not 3.1. My fault.

#4 follow-up: @SergeyBiryukov
14 years ago

  • Keywords has-patch added; xss security vulnerability removed

#5 in reply to: ↑ 2 @ericmann
14 years ago

Replying to danielmiessler:

I think I followed the correct procedure.

No, you didn't.

I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.

The page that comes up from that search (http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting security issues" section that refers you to the Security FAQ page (http://codex.wordpress.org/Security_FAQ). This section reminds you to notify the vendor (the WordPress core team) privately rather than publicly about exploits, and the Security FAQ page provides the actual contact information.

It is bad practice to report security vulnerabilities in public. We need time to patch the issue and provide an update to users before anyone who would exploit the vulnerability gets a hold of it.

#6 in reply to: ↑ 4 @ericmann
14 years ago

Replying to SergeyBiryukov:

Patch looks good. Clear, obvious fix.

#7 follow-up: @ryan
14 years ago

We're protecting against someone purposefully injecting XSS into their config during setup? Why bother?

#8 in reply to: ↑ 7 @westi
14 years ago

Replying to ryan:

We're protecting against someone purposefully injecting XSS into their config during setup? Why bother?

Indeed.

If the install isn't setup yet they might as well run it for you and have the admin account ;-)

#9 @ryan
14 years ago

  • Milestone 3.1 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.