Ticket #4689 (closed enhancement: fixed)

Opened 10 months ago

Last modified 9 months ago

Wordpress uploads.php Cross-Site Scripting Vulnerability

Reported by: BenjaminFlesch Assigned to: Nazgul
Priority: highest omg bbq Milestone: 2.2.2
Component: Security Version: 2.2.1
Severity: critical Keywords: has-patch
Cc:

Description

In /upload.php the parameter style is prone to XSS Attacks when editing Temporary Uploads (they usually have a negative ID). An attack could look like this: /upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337

Description: http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/

Patch: // IDs should be integers $ID = (int) $ID; $post_id = (int) $post_id; *$style = preg_replace('/[A-Za-z]/', , $style);

add the line marked with the * to upload.php behind the $post_id one

Attachments

4689.diff (0.8 kB) - added by Nazgul on 07/31/07 20:42:23.
4689.002.diff (0.8 kB) - added by markjaquith on 08/01/07 16:20:50.
int-case the ID

Change History

07/31/07 20:40:33 changed by Nazgul

  • keywords set to needs-patch.
  • milestone set to 2.2.2.

Confirmed on 2.2.1 and trunk.

Fix should be a putiing in a missing attribute_escape instead of the given regex (in my opinion).

07/31/07 20:42:23 changed by Nazgul

  • attachment 4689.diff added.

07/31/07 20:44:10 changed by Nazgul

  • keywords changed from needs-patch to has-patch.
  • owner changed from anonymous to Nazgul.
  • status changed from new to assigned.

Patch puts the needed attribute_escape in place and also put one around the nearby $post_id as an extra safeguard.

08/01/07 16:20:50 changed by markjaquith

  • attachment 4689.002.diff added.

int-case the ID

08/01/07 16:22:00 changed by markjaquith

BenjaminFlesch?, in the future, please submit security bugs to security@wordpress.org

08/01/07 17:20:01 changed by markjaquith

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [5827]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for trunk

08/01/07 17:21:08 changed by markjaquith

(In [5828]) attribute_escape() in upload form action. Props Nazgul. fixes #4689 for 2.2.x

08/01/07 20:58:19 changed by markjaquith

(In [5837]) More upload escaping. Props Brian Layman. fixes #4689 for trunk

08/01/07 20:58:39 changed by markjaquith

(In [5838]) More upload escaping. Props Brian Layman. fixes #4689 for 2.2.x

08/03/07 18:37:47 changed by hendry

I assume 2.0.11 is not vulnerable as it does not have wp-admin/upload.php

08/03/07 18:45:14 changed by markjaquith

I looked through the equivalent code and couldn't find the issue duplicated in 2.0.x