Context Navigation

← Previous Ticket
Next Ticket →

#3515 closed defect (bug) (fixed)

XSS through author's url in comments

Reported by:	xknown	Owned by:
Milestone:	2.0.6	Priority:	high
Severity:	major	Version:	2.0.5
Component:	Security	Keywords:	has-patch
Focuses:		Cc:

Description

Due to bad validation of author's url value in comments, someone can easily inject javascript code in the href attribute:

You can try with this value in the author's url field:

javascript:alert&#x28;document.cookie&#x29;;v//://

To "exploit" this bug, as you can see, it needs user (logged) interaction

PS. Sorry for my bad English

Attachments (1)

proto.diff (908 bytes) - added by andy 18 years ago.

Download all attachments as: .zip

Change History (4)

#1 @Viper007Bond
18 years ago

Keywords xss comments removed
Milestone changed from 2.2 to 2.0.6

@andy
18 years ago

Attachment proto.diff added

#2 @andy
18 years ago

Keywords has-patch added

Attached proto.diff which forces clean_url through wp_kses_bad_protocol with the default protocol list. E.g. if "javascript:" is the protocol it will return an empty string rather than a "sanitized" URL.

This can be applied to 2.0 and trunk.

#3 @ryan
18 years ago

Resolution set to fixed
Status changed from new to closed

(In [4672]) Add kses protocol checking to clean_url. Props Andy. fixes #3515

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core