WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4689 closed enhancement (fixed)

Wordpress uploads.php Cross-Site Scripting Vulnerability

Reported by: BenjaminFlesch Owned by: Nazgul
Milestone: 2.2.2 Priority: highest omg bbq
Severity: critical Version: 2.2.1
Component: Security Keywords: has-patch
Focuses: Cc:

Description

In /upload.php the parameter style is prone to XSS Attacks when editing Temporary Uploads (they usually have a negative ID). An attack could look like this:
/upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337

Description: http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/

Patch:
IDs should be integers
$ID = (int) $ID;
$post_id = (int) $post_id;
*$style = preg_replace('/[A-Za-z]/', , $style);

add the line marked with the * to upload.php behind the $post_id one

Attachments (2)

4689.diff (798 bytes) - added by Nazgul 7 years ago.
4689.002.diff (826 bytes) - added by markjaquith 7 years ago.
int-case the ID

Download all attachments as: .zip

Change History (11)

comment:1 Nazgul7 years ago

  • Keywords needs-patch added
  • Milestone set to 2.2.2

Confirmed on 2.2.1 and trunk.

Fix should be a putiing in a missing attribute_escape instead of the given regex (in my opinion).

Nazgul7 years ago

comment:2 Nazgul7 years ago

  • Keywords has-patch added; needs-patch removed
  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned

Patch puts the needed attribute_escape in place and also put one around the nearby $post_id as an extra safeguard.

markjaquith7 years ago

int-case the ID

comment:3 markjaquith7 years ago

BenjaminFlesch, in the future, please submit security bugs to security@…

comment:4 markjaquith7 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [5827]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for trunk

comment:5 markjaquith7 years ago

(In [5828]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for 2.2.x

comment:6 markjaquith7 years ago

(In [5837]) More upload escaping. Props Brian Layman. fixes #4689 for trunk

comment:7 markjaquith7 years ago

(In [5838]) More upload escaping. Props Brian Layman. fixes #4689 for 2.2.x

comment:8 hendry7 years ago

I assume 2.0.11 is not vulnerable as it does not have wp-admin/upload.php

comment:9 markjaquith7 years ago

I looked through the equivalent code and couldn't find the issue duplicated in 2.0.x

Note: See TracTickets for help on using tickets.