Ticket #1686 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

CSS Security Vulnerability

Reported by: hendry Assigned to: ryan
Priority: normal Milestone:
Component: Administration Version: 1.5.2
Severity: normal Keywords: security
Cc:

Description

Contains Patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909

A cross site scripting vulnerability exists in Wordpress, the vulnerability manifests itself only when viewed by IE, as Mozilla converts < in the URL to &lt;

By noamr@beyondsecurity.com

Change History

09/19/05 01:05:57 changed by ryan

  • owner changed from anonymous to ryan.
  • status changed from new to assigned.

09/19/05 19:08:29 changed by matt

This doesn't make any sense. Maybe a sample exploit would clarify what the actual bug is?

09/26/05 00:26:19 changed by hendry

Ryan do you have an email?

I am finding it a complete pain in the arse having to act as a "copy and paste" intermediary between Noam and this BTS. 

I am not sure how to update that site, but here is one example:
http://www.fuegodesigns.com/blog/?%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

If you access the above URL using Mozilla/IE you won't get anything to
trigger BUT, the source HTML will include:
<a href="http://www.fuegodesigns.com/blog/?%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp;paged=2">Next
Page &raquo;</a></span>

Accessing this URL via IE:
http://www.fuegodesigns.com/blog/?"><script>alert(document.cookie)</script>

Will return in IE the following HTML source:
a href="http://www.fuegodesigns.com/blog/?\"><script>alert(document.cookie)</script>&amp;paged=2">Next
Page

On 9/23/05, Kai Hendry <hendry@iki.fi> wrote:
> On 2005-09-23T08:42+0200 Noam Rathaus wrote:
> > The problem is that wordpress embeds the data sent from the user
> > inside the response.

10/28/05 17:57:13 changed by dougal

So, basically, a user with high enough privileges to mess with your system can mess with your system?

Would filtering the URL with wp_specialchars() fix this "bug"?

11/15/05 03:17:20 changed by hendry

Noam writes: 

Anyone sending you a link to the blog web site with the cross site scripting
code will get you to execute the code. As this HTML/Javascript code can do
practically anything, for example promote you to administrator of the blog,
the code can be pretty dangerous.

Yes wp_spericalchars() would fix it, as it would encode at the very least the
< and > into &lt; and gt;.

Does this BTS have some sort of email interface? :/

01/15/06 23:41:19 changed by ryan

  • milestone set to 2.0.1.

01/15/06 23:42:12 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [3440]) wp_specialchars the request uri when contructing paging links. fixes #1686

11/30/06 19:41:49 changed by

  • milestone deleted.

Milestone 2.0.1 deleted