Ticket #3515 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

XSS through author's url in comments

Reported by: xknown Assigned to: anonymous
Priority: high Milestone: 2.0.6
Component: Security Version: 2.0.5
Severity: major Keywords: has-patch
Cc:

Description

Due to bad validation of author's url value in comments, someone can easily inject javascript code in the href attribute:

You can try with this value in the author's url field: 

javascript:alert(document.cookie);v//://

To "exploit" this bug, as you can see, it needs user (logged) interaction

PS. Sorry for my bad English

Attachments

proto.diff (0.9 kB) - added by andy on 01/02/07 18:13:40.

Change History

01/02/07 01:45:13 changed by Viper007Bond

  • keywords deleted.
  • milestone changed from 2.2 to 2.0.6.

01/02/07 18:13:40 changed by andy

  • attachment proto.diff added.

01/02/07 18:16:34 changed by andy

  • keywords set to has-patch.

Attached proto.diff which forces clean_url through wp_kses_bad_protocol with the default protocol list. E.g. if "javascript:" is the protocol it will return an empty string rather than a "sanitized" URL.

This can be applied to 2.0 and trunk.

01/02/07 21:22:44 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [4672]) Add kses protocol checking to clean_url. Props Andy. fixes #3515