#3973 closed defect (bug) (fixed)
XSRF,XSS security hole for users with unfiltered_html capability
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 2.0.10 | Priority: | highest omg bbq |
Severity: | critical | Version: | 2.1.2 |
Component: | Security | Keywords: | comment nonce form security XSS XSRF |
Focuses: | Cc: |
Description
As reported at:
http://www.virtuax.be/advisories/Advisory4-20022007.txt
Users with the unfiltered_html
capability get to skip KSES stripping of harmful HTML markup. An XSRF attack can be used to trick these users into submitting comments with harmful XSS-laden markup.
Attached patch is a first stab at a solution for trunk, 2.0.x and 2.1.x
The patch alters wp_nonce_field()
so that the form name
can be specified. For users with unfiltered_html
the comment_form
hook is used to use wp_nonce_field
to inject a hidden nonced field, using a special name
.
On comment submit, users with unfiltered_html
have this nonce checked. If the nonce check fails, KSES silently reverts to normal non-unfiltered_html
operation, zapping any XSS-esque content and rendering the attack useless. This silent fallback is used so that themes without the comment_form
hook don't block unfiltered_html
-capable comments... they just sanitize them more closely than they would if the theme supported the comment_form
hook.
Triple milestone: 2.2 (trunk), 2.1.3, 2.0.10
Trunk has been tested with this patch, and 2.1.x applied cleanly. 2.0.x has not yet been tested.
Patch for all three WP branches