Ticket #3986 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

XSS in wp_nonce_ays

Reported by: xknown Assigned to: anonymous
Priority: highest omg bbq Milestone: 2.0.10
Component: Security Version: 2.0.9
Severity: normal Keywords: has-patch
Cc:

Description

There's a small XSS vulnerability in wp_nonce_ays that requires user intervention, attribute_escape is useless when _wp_http_referer contains something like javascript:alert("XSS").

PoC (click "No"): http://wp/wp-admin/plugins.php?action=activate&plugin=akismet/akismet.php&_wp_http_referer=javascript:alert(%22XSS%22)

Attachments

functions.diff (436 bytes) - added by xknown on 03/17/07 04:24:15.
Proposed fix
clean_url-admin_a-l.diff (7.7 kB) - added by ryan on 03/17/07 08:15:24.
Use clean_url where approproate. Admin files A - L.
trunk_wp-admin_m-z.diff (4.8 kB) - added by markjaquith on 03/17/07 08:15:51.
trunk/wp-admin/ (m-z)
trunk_wp-includes_m-z.diff (0.7 kB) - added by markjaquith on 03/17/07 08:16:49.
trunk/wp-includes/ (m-z)
clean_url-includes_a-l.diff (5.1 kB) - added by ryan on 03/17/07 08:29:55.
clean_url() for wp-includes A - L
trunk_inclusive.diff (18.7 kB) - added by markjaquith on 03/17/07 08:38:20.
trunk/
2.1_inclusive.diff (19.1 kB) - added by markjaquith on 03/17/07 08:45:00.
branches/2.1/ patch
2.0_inclusive.diff (5.7 kB) - added by markjaquith on 03/17/07 09:01:21.
branches/2.0/ patch

Change History

03/17/07 04:24:15 changed by xknown

  • attachment functions.diff added.

Proposed fix

03/17/07 08:15:24 changed by ryan

  • attachment clean_url-admin_a-l.diff added.

Use clean_url where approproate. Admin files A - L.

03/17/07 08:15:51 changed by markjaquith

  • attachment trunk_wp-admin_m-z.diff added.

trunk/wp-admin/ (m-z)

03/17/07 08:16:49 changed by markjaquith

  • attachment trunk_wp-includes_m-z.diff added.

trunk/wp-includes/ (m-z)

03/17/07 08:29:55 changed by ryan

  • attachment clean_url-includes_a-l.diff added.

clean_url() for wp-includes A - L

03/17/07 08:34:59 changed by Nazgul

  • keywords set to has-patch.
  • priority changed from low to highest omg bbq.

The given PoC didn't work for me out of the box, but with some fiddling I got it to work.

2.0.x, 2.1.x and trunk are all vulnerable.

The given patch takes the sting out of the attack on my tests.

Also please note that the attached patch was made from the wp-includes directory and not from the root.

03/17/07 08:36:44 changed by Nazgul

Guess I was typing too slow. :)

03/17/07 08:38:20 changed by markjaquith

  • attachment trunk_inclusive.diff added.

trunk/

03/17/07 08:42:54 changed by ryan

We're using clean_url instead of attribute_escape for content that goes in an href or src.

03/17/07 08:45:00 changed by markjaquith

  • attachment 2.1_inclusive.diff added.

branches/2.1/ patch

03/17/07 08:47:07 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

(In [5056]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

03/17/07 08:47:37 changed by markjaquith

(In [5057]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

03/17/07 09:01:21 changed by markjaquith

  • attachment 2.0_inclusive.diff added.

branches/2.0/ patch

03/17/07 09:05:01 changed by markjaquith

(In [5058]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

03/19/07 18:36:20 changed by Nazgul

  • version changed from 2.1.2 to 2.0.9.
  • milestone changed from 2.1.3 to 2.0.10.