Ticket #3879 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

XSS in 2.1.1 in AYS for HTTP GET requests

Reported by: Reaper-X Assigned to: anonymous
Priority: low Milestone: 2.1.2
Component: Security Version: 2.1.1
Severity: normal Keywords:
Cc:

Description (Last modified by markjaquith)

http://www.securityfocus.com/archive/1/461351/30/0/ threaded. http://secunia.com/advisories/24316/ reads:

Input passed to the "post" parameter in wp-admin/post.php (when "action" is set to "delete") is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the target user is logged in as administrator.

The exploit is actually more general than that: for any action that triggers nonce verification, the URL for the "Yes" action is not properly sanitized, and a specially crafted URL can escape from the link's href attribute and inject arbitrary HTML. The "delete" action and the "post" parameter just happen to be the ones used in the example.

Change History

02/27/07 11:53:56 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

[4951] and [4952]

02/27/07 17:58:04 changed by foolswisdom

  • description changed.
  • summary changed from XSS in 2.1.1 to XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php.

02/27/07 23:14:12 changed by markjaquith

  • description changed.
  • summary changed from XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php to XSS in 2.1.1 in AYS for HTTP GET requests.

Just clearing up some confusion... some people think that this has something to do with deleting posts because of the specific example that was released. The exploit is more general than that, and it is purely an XSS hole.