WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#3515 closed defect (bug) (fixed)

XSS through author's url in comments

Reported by: xknown Owned by:
Milestone: 2.0.6 Priority: high
Severity: major Version: 2.0.5
Component: Security Keywords: has-patch
Focuses: Cc:

Description

Due to bad validation of author's url value in comments, someone can easily inject javascript code in the href attribute:

You can try with this value in the author's url field:

javascript:alert(document.cookie);v//://

To "exploit" this bug, as you can see, it needs user (logged) interaction

PS. Sorry for my bad English

Attachments (1)

proto.diff (908 bytes) - added by andy 11 years ago.

Download all attachments as: .zip

Change History (4)

#1 @Viper007Bond
11 years ago

  • Keywords xss comments removed
  • Milestone changed from 2.2 to 2.0.6

@andy
11 years ago

#2 @andy
11 years ago

  • Keywords has-patch added

Attached proto.diff which forces clean_url through wp_kses_bad_protocol with the default protocol list. E.g. if "javascript:" is the protocol it will return an empty string rather than a "sanitized" URL.

This can be applied to 2.0 and trunk.

#3 @ryan
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4672]) Add kses protocol checking to clean_url. Props Andy. fixes #3515

Note: See TracTickets for help on using tickets.