WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#16089 closed defect (bug) (wontfix)

Cross-site Scripting Vulnerability in /wp-admin/setup-config

Reported by: danielmiessler Owned by:
Milestone: Priority: normal
Severity: critical Version: 3.1
Component: General Keywords: has-patch
Focuses: Cc:

Description

There appears to be a vulnerability in the setup-config file whereby a user can submit script to the dbhost parameter and have it echoed back by WordPress. I have attached an image for your review.

Attachments (2)

xssscreenshot.png (189.2 KB) - added by danielmiessler 3 years ago.
Screenshot of XSS
16089.patch (871 bytes) - added by SergeyBiryukov 3 years ago.

Download all attachments as: .zip

Change History (11)

danielmiessler3 years ago

Screenshot of XSS

comment:1 nacin3 years ago

  • Milestone changed from Awaiting Review to 3.1

Too late now, but things like this should be reported to security@….

comment:2 follow-up: danielmiessler3 years ago

I think I followed the correct procedure.

I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.

comment:3 danielmiessler3 years ago

Also, this should be 3.0.4 not 3.1. My fault.

SergeyBiryukov3 years ago

comment:4 follow-up: SergeyBiryukov3 years ago

  • Keywords has-patch added; xss security vulnerability removed

comment:5 in reply to: ↑ 2 ericmann3 years ago

Replying to danielmiessler:

I think I followed the correct procedure.

No, you didn't.

I went to wordpress.org, typed "report a vulnerability" into the search field, and was given instructions on how to properly fill out a trac ticket.

The page that comes up from that search (http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting security issues" section that refers you to the Security FAQ page (http://codex.wordpress.org/Security_FAQ). This section reminds you to notify the vendor (the WordPress core team) privately rather than publicly about exploits, and the Security FAQ page provides the actual contact information.

It is bad practice to report security vulnerabilities in public. We need time to patch the issue and provide an update to users before anyone who would exploit the vulnerability gets a hold of it.

comment:6 in reply to: ↑ 4 ericmann3 years ago

Replying to SergeyBiryukov:

Patch looks good. Clear, obvious fix.

comment:7 follow-up: ryan3 years ago

We're protecting against someone purposefully injecting XSS into their config during setup? Why bother?

comment:8 in reply to: ↑ 7 westi3 years ago

Replying to ryan:

We're protecting against someone purposefully injecting XSS into their config during setup? Why bother?

Indeed.

If the install isn't setup yet they might as well run it for you and have the admin account ;-)

comment:9 ryan3 years ago

  • Milestone 3.1 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.