Wordpress uploads.php Cross-Site Scripting Vulnerability

[BenjaminFlesch]

In /upload.php the parameter style is prone to XSS Attacks when editing Temporary Uploads (they usually have a negative ID). An attack could look like this:
/upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337

Description: ​http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/

Patch:
IDs should be integers
$ID = (int) $ID;
$post_id = (int) $post_id;
*$style = preg_replace('/[^{A-Za-z]/', , $style);}

add the line marked with the * to upload.php behind the $post_id one

[Nazgul]

Confirmed on 2.2.1 and trunk.

Fix should be a putiing in a missing attribute_escape instead of the given regex (in my opinion).

[Nazgul]

Patch puts the needed attribute_escape in place and also put one around the nearby $post_id as an extra safeguard.

[markjaquith]

int-case the ID

[markjaquith]

BenjaminFlesch, in the future, please submit security bugs to security@…

[markjaquith]

(In [5827]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for trunk

[markjaquith]

(In [5828]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for 2.2.x

[markjaquith]

(In [5837]) More upload escaping. Props Brian Layman. fixes #4689 for trunk

[markjaquith]

(In [5838]) More upload escaping. Props Brian Layman. fixes #4689 for 2.2.x

[hendry]

I assume 2.0.11 is not vulnerable as it does not have wp-admin/upload.php

[markjaquith]

I looked through the equivalent code and couldn't find the issue duplicated in 2.0.x