Make WordPress Core

Opened 16 years ago

Closed 16 years ago

#9138 closed defect (bug) (fixed)

Mask HTML output in _wp_dashboard_recent_comments_row()

Reported by: mastermind's profile mastermind Owned by: ryan's profile ryan
Milestone: 2.8 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch tested commit
Focuses: Cc:

Description

Problem:
In _wp_dashboard_recent_comments_row(), dashboard.php, the post_title of a post is printed as in the database. HTML special characters are not masked.

This is not a security problem by itself, but it can facilate XSS exploits. For example, if an attacker manages to insert JavaScript into a post's title and leaves a comment for this post, then as soon as an admin loads the dashboard, the JavaScript is executed. (I did not make this up; this is a scenario with a vulnerable plugin, for which I was able to create a PoC exploit.)

Luckily, with WP 2.7+ and PHP 5.2+, the auth cookies are HttpOnly. But they aren't on older setups, and there are enough other nasty XSS attacks (e.g. in conjunction with Social Engineering), which can make this potentially dangerous.

Reproduce:

  1. UPDATE wp_posts SET post_title = CONCAT(post_title, '<script type="text/javascript">alert("XSS!");</script>') WHERE ID = 1;
  2. To be sure that the comment with the accoring post_title is shown in the dashboard, leave a comment
  3. Go to the admin dashboard.

Solution:
In dashboard.php:483, change:
$comment_post_title = get_the_title( $comment->comment_post_ID );

to:
$comment_post_title = htmlspecialchars( get_the_title( $comment->comment_post_ID ) );

Attachments (1)

9138.diff (652 bytes) - added by Denis-de-Bernardy 16 years ago.
strip all tags instead

Download all attachments as: .zip

Change History (4)

#1 @Viper007Bond
16 years ago

  • Keywords has-patch added

@Denis-de-Bernardy
16 years ago

strip all tags instead

#2 @Denis-de-Bernardy
16 years ago

  • Keywords tested commit added

#3 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [11352]) strip tags on post titles in recent comments dashboard widget. Props Denis-de-Bernardy, mastermind. fixes #9138

Note: See TracTickets for help on using tickets.