#33402 closed defect (bug) (invalid)
Zero Day on the Comment section on latest wordpess release
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.2.4 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
I found the Stored XSS on the comment section on wordpress.
Stored Cross-site Scripting (XSS) is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.
Post Request I sent was:
POST /wordpress/wp-comments-post.php HTTP/1.1
Host: localhost
Content-Length: 162
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/wordpress/index.php/2015/08/17/hello-world/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=mmssbonu21%7C1440022264%7CYQQOLOtHYDiOWcY530mQphmeXi9RIx7DkSLh8kdqZZ4%7Cf611a27ebe5fd565b39e3bfff8ee680e8206219a14ccfdae75547f9d293c0025; wp-settings-time-1=1439881779
comment=testing11a6f<script>alert(1)<%2fscript>2f4c9&submit=Post+Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=556b24f545&_wp_unfiltered_html_comment=5753622fd1&ak_js=1439881790623
Attachments (1)
Change History (3)
#1
@
10 years ago
- Resolution set to invalid
- Status changed from new to closed
Hi @3entr0py, and welcome.
It seems in this case as you are signed in as a user with the capabilities that allow you to make entries with unfiltered HTML (as can be seen by the _wp_unfiltered_html_comment entry in your example above).
This means you can post anything to your own comments field while signed in to the user you are currently using.
We do appreciate responsible disclosure of potential security risks, any suspected vulnerability should be reported to security@… (See the handbook article at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/ for details)
#2
@
10 years ago
- Milestone Awaiting Review deleted
Additionally, I'd like to point out that in order to post this ticket, you had to check a checkbox which specifically said - "I am not reporting a security issue — report security issues to security@…".
As @clorith has pointed out, you're submitting the comment as a user which has the unfiltered_html capability, most likely an administrator. We cover this specifically in this security-reporting article: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html
XSS PoC and Post Query