Ticket #3973 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

XSRF,XSS security hole for users with unfiltered_html capability

Reported by: markjaquith Assigned to: markjaquith
Priority: highest omg bbq Milestone: 2.0.10
Component: Security Version: 2.1.2
Severity: critical Keywords: comment nonce form security XSS XSRF
Cc:

Description

As reported at:

http://www.virtuax.be/advisories/Advisory4-20022007.txt

Users with the unfiltered_html capability get to skip KSES stripping of harmful HTML markup. An XSRF attack can be used to trick these users into submitting comments with harmful XSS-laden markup.

Attached patch is a first stab at a solution for trunk, 2.0.x and 2.1.x

The patch alters wp_nonce_field() so that the form name can be specified. For users with unfiltered_html the comment_form hook is used to use wp_nonce_field to inject a hidden nonced field, using a special name.

On comment submit, users with unfiltered_html have this nonce checked. If the nonce check fails, KSES silently reverts to normal non-unfiltered_html operation, zapping any XSS-esque content and rendering the attack useless. This silent fallback is used so that themes without the comment_form hook don't block unfiltered_html-capable comments... they just sanitize them more closely than they would if the theme supported the comment_form hook.

Triple milestone: 2.2 (trunk), 2.1.3, 2.0.10

Trunk has been tested with this patch, and 2.1.x applied cleanly. 2.0.x has not yet been tested.

Attachments

unfiltered_html_xsrf_xss.diff (8.7 kB) - added by markjaquith on 03/14/07 22:25:10.
Patch for all three WP branches

Change History

03/14/07 22:25:10 changed by markjaquith

  • attachment unfiltered_html_xsrf_xss.diff added.

Patch for all three WP branches

03/14/07 22:30:58 changed by ryan

Code looks good.

03/14/07 23:11:00 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

(In [5039]) nonce-protect comments by users with unfiltered_html cap to prevent xsrf/xss. fixes #3973 for trunk

03/14/07 23:12:51 changed by markjaquith

(In [5040]) nonce-protect comments by users with unfiltered_html cap to prevent xsrf/xss. fixes #3973 for 2.1

03/14/07 23:13:39 changed by markjaquith

(In [5041]) nonce-protect comments by users with unfiltered_html cap to prevent xsrf/xss. fixes #3973 for 2.0

03/15/07 00:28:27 changed by technosailor

Reviewing per Ryan on Twitter. (the new mode of communication)... :-)

Looks good here too.

03/16/07 05:17:21 changed by charleshooper

(off topic) Ah, gotta love twitter