Ticket #4012 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

XSS on page-new.php

Reported by: xknown Assigned to: anonymous
Priority: highest omg bbq Milestone: 2.0.10
Component: Security Version: 2.1.2
Severity: normal Keywords: 2nd-opinion dev-feedback
Cc: charleshooper

Description

Someone posted on sla.cker.org forums a new XSS vulnerability that affects all versions, including the trunk.

Attachments

link-template.diff (305 bytes) - added by xknown on 03/22/07 00:23:32.
Cast to int page id

Change History

03/22/07 00:23:32 changed by xknown

  • attachment link-template.diff added.

Cast to int page id

03/22/07 00:26:23 changed by xknown

The given PoC is: http://wp/wp-admin/page-new.php?saved="><script>alert(123)</script>

PS. The patch is only for the trunk

03/22/07 01:04:20 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [5078]) Cast to int. Props xknown. fixes #4012 for trunk.

03/22/07 01:05:12 changed by ryan

(In [5079]) Cast to int. Props xknown. fixes #4012 for 2.1

03/22/07 02:11:13 changed by charleshooper

  • cc set to charleshooper.
  • keywords set to 2nd-opinion dev-feedback.
  • status changed from closed to reopened.
  • resolution deleted.

Not to step on any toes as I understand this is a high priority item, however is casting to int adequate? I'm referring to the fact that wp_posts.ID is a BIGINT-sized column and the maximum size integer on 32-bit systems is 2,147,483,647. Not that I think many people out there have over 2 billion posts, but I feel that if we impose a limit (by casting a variable to int) then we should update the schema accordingly. Think of it as a SQL optimization if you must.

03/22/07 02:15:04 changed by charleshooper

  • status changed from reopened to closed.
  • resolution set to fixed.

I just took a look at the schema and also noticed that other tables create their relative post_ID fields as INT(11), I'll close this again and open another ticket as they are separate issues.

03/22/07 03:09:19 changed by ryan

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone changed from 2.1.3 to 2.0.10.

Reopening for 2.0 inclusion.

03/22/07 03:11:43 changed by ryan

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [5080]) Cast to int. Props xknown. fixes #4012 for 2.0