WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#3879 closed defect (bug) (fixed)

XSS in 2.1.1 in AYS for HTTP GET requests

Reported by: Reaper-X Owned by:
Milestone: 2.1.2 Priority: low
Severity: normal Version: 2.1.1
Component: Security Keywords:
Focuses: Cc:

Description (last modified by markjaquith)

http://www.securityfocus.com/archive/1/461351/30/0/ threaded. http://secunia.com/advisories/24316/ reads:

Input passed to the "post" parameter in wp-admin/post.php (when "action" is set to "delete") is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the target user is logged in as administrator.


The exploit is actually more general than that: for any action that triggers nonce verification, the URL for the "Yes" action is not properly sanitized, and a specially crafted URL can escape from the link's href attribute and inject arbitrary HTML. The "delete" action and the "post" parameter just happen to be the ones used in the example.

Change History (3)

comment:1 @markjaquith9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

comment:2 @foolswisdom9 years ago

  • Description modified (diff)
  • Summary changed from XSS in 2.1.1 to XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php

comment:3 @markjaquith9 years ago

  • Description modified (diff)
  • Summary changed from XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php to XSS in 2.1.1 in AYS for HTTP GET requests

Just clearing up some confusion... some people think that this has something to do with deleting posts because of the specific example that was released. The exploit is more general than that, and it is purely an XSS hole.

Note: See TracTickets for help on using tickets.