WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3986 closed defect (bug) (fixed)

XSS in wp_nonce_ays

Reported by: xknown Owned by:
Milestone: 2.0.10 Priority: highest omg bbq
Severity: normal Version: 2.0.9
Component: Security Keywords: has-patch
Focuses: Cc:

Description

There's a small XSS vulnerability in wp_nonce_ays that requires user intervention, attribute_escape is useless when _wp_http_referer contains something like javascript:alert("XSS").

PoC (click "No"):
http://wp/wp-admin/plugins.php?action=activate&plugin=akismet/akismet.php&_wp_http_referer=javascript:alert(%22XSS%22)

Attachments (8)

functions.diff (436 bytes) - added by xknown 8 years ago.
Proposed fix
clean_url-admin_a-l.diff (7.7 KB) - added by ryan 8 years ago.
Use clean_url where approproate. Admin files A - L.
trunk_wp-admin_m-z.diff (4.8 KB) - added by markjaquith 8 years ago.
trunk/wp-admin/ (m-z)
trunk_wp-includes_m-z.diff (700 bytes) - added by markjaquith 8 years ago.
trunk/wp-includes/ (m-z)
clean_url-includes_a-l.diff (5.1 KB) - added by ryan 8 years ago.
clean_url() for wp-includes A - L
trunk_inclusive.diff (18.7 KB) - added by markjaquith 8 years ago.
trunk/
2.1_inclusive.diff (19.1 KB) - added by markjaquith 8 years ago.
branches/2.1/ patch
2.0_inclusive.diff (5.7 KB) - added by markjaquith 8 years ago.
branches/2.0/ patch

Download all attachments as: .zip

Change History (15)

@xknown8 years ago

Proposed fix

@ryan8 years ago

Use clean_url where approproate. Admin files A - L.

@markjaquith8 years ago

trunk/wp-admin/ (m-z)

@markjaquith8 years ago

trunk/wp-includes/ (m-z)

@ryan8 years ago

clean_url() for wp-includes A - L

comment:1 @Nazgul8 years ago

  • Keywords has-patch added
  • Priority changed from low to highest omg bbq

The given PoC didn't work for me out of the box, but with some fiddling I got it to work.

2.0.x, 2.1.x and trunk are all vulnerable.

The given patch takes the sting out of the attack on my tests.

Also please note that the attached patch was made from the wp-includes directory and not from the root.

comment:2 @Nazgul8 years ago

Guess I was typing too slow. :)

@markjaquith8 years ago

trunk/

comment:3 @ryan8 years ago

We're using clean_url instead of attribute_escape for content that goes in an href or src.

@markjaquith8 years ago

branches/2.1/ patch

comment:4 @markjaquith8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5056]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

comment:5 @markjaquith8 years ago

(In [5057]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

@markjaquith8 years ago

branches/2.0/ patch

comment:6 @markjaquith8 years ago

(In [5058]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

comment:7 @Nazgul8 years ago

  • Milestone changed from 2.1.3 to 2.0.10
  • Version changed from 2.1.2 to 2.0.9
Note: See TracTickets for help on using tickets.