Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#24784 closed defect (bug) (fixed)

Plain text content injection issue in feed error message

Reported by: harrym's profile harrym Owned by:
Milestone: 3.7 Priority: normal
Severity: normal Version: 3.6
Component: Feeds Keywords: 3.7-early
Focuses: Cc:

Description

WordPress 3.5.2 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example:

http://your-wordpress-website.com/?feed=This%20website%20has%20been%20hacked.%20%20Quick%2C%20write%20a%20news%20paper%20story%20about%20this%21%20I%20am%20tired%20of%20error%20messages%20that%20say%20this

This message is emitted in wp-includes/functions.php in do_feed() at line 1009.

This issue was discovered by Glyn Wintle.

[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7.]

Change History (4)

#1 @nacin
12 years ago

  • Keywords needs-patch 3.7-early added
  • Milestone changed from Awaiting Review to Future Release
  • Summary changed from Plain text content injection vulnerability in feed error message to Plain text content injection isue in feed error message

#2 @SergeyBiryukov
12 years ago

  • Summary changed from Plain text content injection isue in feed error message to Plain text content injection issue in feed error message

#3 @wonderboymusic
12 years ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

#4 @SergeyBiryukov
12 years ago

  • Keywords needs-patch removed
  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [25190].

Note: See TracTickets for help on using tickets.