WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#9138 closed defect (bug) (fixed)

Mask HTML output in _wp_dashboard_recent_comments_row()

Reported by: mastermind Owned by: ryan
Milestone: 2.8 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch tested commit
Focuses: Cc:

Description

Problem:
In _wp_dashboard_recent_comments_row(), dashboard.php, the post_title of a post is printed as in the database. HTML special characters are not masked.

This is not a security problem by itself, but it can facilate XSS exploits. For example, if an attacker manages to insert JavaScript into a post's title and leaves a comment for this post, then as soon as an admin loads the dashboard, the JavaScript is executed. (I did not make this up; this is a scenario with a vulnerable plugin, for which I was able to create a PoC exploit.)

Luckily, with WP 2.7+ and PHP 5.2+, the auth cookies are HttpOnly. But they aren't on older setups, and there are enough other nasty XSS attacks (e.g. in conjunction with Social Engineering), which can make this potentially dangerous.

Reproduce:

  1. UPDATE wp_posts SET post_title = CONCAT(post_title, '<script type="text/javascript">alert("XSS!");</script>') WHERE ID = 1;
  2. To be sure that the comment with the accoring post_title is shown in the dashboard, leave a comment
  3. Go to the admin dashboard.

Solution:
In dashboard.php:483, change:
$comment_post_title = get_the_title( $comment->comment_post_ID );

to:
$comment_post_title = htmlspecialchars( get_the_title( $comment->comment_post_ID ) );

Attachments (1)

9138.diff (652 bytes) - added by Denis-de-Bernardy 6 years ago.
strip all tags instead

Download all attachments as: .zip

Change History (4)

comment:1 @Viper007Bond6 years ago

  • Keywords has-patch added

@Denis-de-Bernardy6 years ago

strip all tags instead

comment:2 @Denis-de-Bernardy6 years ago

  • Keywords tested commit added

comment:3 @ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [11352]) strip tags on post titles in recent comments dashboard widget. Props Denis-de-Bernardy, mastermind. fixes #9138

Note: See TracTickets for help on using tickets.