Opened 16 years ago
Closed 16 years ago
#9138 closed defect (bug) (fixed)
Mask HTML output in _wp_dashboard_recent_comments_row()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.8 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch tested commit |
| Focuses: | Cc: |
Description
Problem:
In _wp_dashboard_recent_comments_row(), dashboard.php, the post_title of a post is printed as in the database. HTML special characters are not masked.
This is not a security problem by itself, but it can facilate XSS exploits. For example, if an attacker manages to insert JavaScript into a post's title and leaves a comment for this post, then as soon as an admin loads the dashboard, the JavaScript is executed. (I did not make this up; this is a scenario with a vulnerable plugin, for which I was able to create a PoC exploit.)
Luckily, with WP 2.7+ and PHP 5.2+, the auth cookies are HttpOnly. But they aren't on older setups, and there are enough other nasty XSS attacks (e.g. in conjunction with Social Engineering), which can make this potentially dangerous.
Reproduce:
UPDATE wp_posts SET post_title = CONCAT(post_title, '<script type="text/javascript">alert("XSS!");</script>') WHERE ID = 1;
- To be sure that the comment with the accoring post_title is shown in the dashboard, leave a comment
- Go to the admin dashboard.
Solution:
In dashboard.php:483, change:
$comment_post_title = get_the_title( $comment->comment_post_ID );
to:
$comment_post_title = htmlspecialchars( get_the_title( $comment->comment_post_ID ) );
strip all tags instead