Ticket #4691 (closed defect: fixed)

Opened 10 months ago

Last modified 9 months ago

Wordpress link-import.php Cross-Site Scripting (XSS) Vulnerability

Reported by: BenjaminFlesch Assigned to: Nazgul
Priority: normal Milestone: 2.0.11
Component: Security Version: 2.2.1
Severity: normal Keywords: has-patch
Cc:

Description

The parameter opml_url isn’t sanitized and thereby creates an Cross-Site Scripting vulnerability.

Anyways, for a successful attack the _wpnonce Authentication Token is needed so this one is quite useless - No one would use XSS to get a Token in order to use another XSS Vulnerability on the same Domain.

Attachments

4691.diff (444 bytes) - added by Nazgul on 07/31/07 22:14:04.
for_22.patch (488 bytes) - added by g30rg3x on 08/02/07 03:07:52.
For Branch 2.2

Change History

07/31/07 21:59:09 changed by Nazgul

  • milestone set to 2.3 (trunk).

I'm unable to reproduce this one.

Could you give some more info?

07/31/07 22:07:00 changed by BenjaminFlesch

ah sorry, its the cat_id . Cat_id -> XSS, but you need _wpnonces.

07/31/07 22:14:04 changed by Nazgul

  • attachment 4691.diff added.

07/31/07 22:14:28 changed by Nazgul

  • keywords set to has-patch.
  • owner changed from anonymous to Nazgul.
  • status changed from new to assigned.

08/01/07 19:40:30 changed by matt

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [5835]) Sanitize cat_id, fixes #4691

08/02/07 03:07:52 changed by g30rg3x

  • attachment for_22.patch added.

For Branch 2.2

08/02/07 05:07:34 changed by g30rg3x

also apply this for branch 2.2, thanks in advance...

08/02/07 15:10:19 changed by markjaquith

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone changed from 2.3 (trunk) to 2.2.2.

08/02/07 15:19:08 changed by markjaquith

(In [5840]) Sanitize cat_id, fixes #4691 for 2.2.x, thanks g30rg3x

08/02/07 15:22:56 changed by markjaquith

  • milestone changed from 2.2.2 to 2.0.11.

08/02/07 15:23:12 changed by markjaquith

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [5841]) Sanitize cat_id, fixes #4691 for 2.0.x