WordPress.org

Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#1686 closed defect (bug) (fixed)

CSS Security Vulnerability

Reported by: hendry Owned by: ryan
Milestone: Priority: normal
Severity: normal Version: 1.5.2
Component: Administration Keywords: security
Focuses: Cc:

Description

Contains Patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909

A cross site scripting vulnerability exists in Wordpress, the vulnerability
manifests itself only when viewed by IE, as Mozilla converts < in the URL to
&lt;

By noamr@…

Change History (8)

#1 @ryan
14 years ago

  • Owner changed from anonymous to ryan
  • Status changed from new to assigned

#2 @matt
14 years ago

This doesn't make any sense. Maybe a sample exploit would clarify what the actual bug is?

#3 @hendry
14 years ago

Ryan do you have an email?

I am finding it a complete pain in the arse having to act as a "copy and paste" intermediary between Noam and this BTS.

I am not sure how to update that site, but here is one example:
http://www.fuegodesigns.com/blog/?%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

If you access the above URL using Mozilla/IE you won't get anything to
trigger BUT, the source HTML will include:
<a href="http://www.fuegodesigns.com/blog/?%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp;paged=2">Next
Page &raquo;</a></span>

Accessing this URL via IE:
http://www.fuegodesigns.com/blog/?"><script>alert(document.cookie)</script>

Will return in IE the following HTML source:
a href="http://www.fuegodesigns.com/blog/?\"><script>alert(document.cookie)</script>&amp;paged=2">Next
Page

On 9/23/05, Kai Hendry <hendry@iki.fi> wrote:
> On 2005-09-23T08:42+0200 Noam Rathaus wrote:
> > The problem is that wordpress embeds the data sent from the user
> > inside the response.

#4 @dougal
14 years ago

So, basically, a user with high enough privileges to mess with your system can mess with your system?

Would filtering the URL with wp_specialchars() fix this "bug"?

#5 @hendry
14 years ago

Noam writes:

Anyone sending you a link to the blog web site with the cross site scripting
code will get you to execute the code. As this HTML/Javascript code can do
practically anything, for example promote you to administrator of the blog,
the code can be pretty dangerous.

Yes wp_spericalchars() would fix it, as it would encode at the very least the
< and > into &lt; and gt;.

Does this BTS have some sort of email interface? :/

#6 @ryan
14 years ago

  • Milestone set to 2.0.1

#7 @ryan
14 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3440]) wp_specialchars the request uri when contructing paging links. fixes #1686

#8 @(none)
13 years ago

  • Milestone 2.0.1 deleted

Milestone 2.0.1 deleted

Note: See TracTickets for help on using tickets.