#3986 closed defect (bug) (fixed)
XSS in wp_nonce_ays
Reported by: | xknown | Owned by: | |
---|---|---|---|
Milestone: | 2.0.10 | Priority: | highest omg bbq |
Severity: | normal | Version: | 2.0.9 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
There's a small XSS vulnerability in wp_nonce_ays that requires user intervention, attribute_escape is useless when _wp_http_referer contains something like javascript:alert("XSS").
PoC (click "No"):
http://wp/wp-admin/plugins.php?action=activate&plugin=akismet/akismet.php&_wp_http_referer=javascript:alert(%22XSS%22)
Attachments (8)
Change History (15)
#1
@
17 years ago
- Keywords has-patch added
- Priority changed from low to highest omg bbq
The given PoC didn't work for me out of the box, but with some fiddling I got it to work.
2.0.x, 2.1.x and trunk are all vulnerable.
The given patch takes the sting out of the attack on my tests.
Also please note that the attached patch was made from the wp-includes directory and not from the root.
#3
@
17 years ago
We're using clean_url instead of attribute_escape for content that goes in an href or src.
Note: See
TracTickets for help on using
tickets.
Proposed fix