Ticket #4811 (closed defect (bug): fixed)

Opened 1 year ago

Last modified 1 year ago

CSRF & XSS on some importers

Reported by: xknown Assigned to: anonymous
Priority: high Milestone: 2.3
Component: Security Version: 2.3
Severity: major Keywords: has-patch commit
Cc:

Description

On trunk, Ultimate Tag Warrior and Category to Tag Converter are vulnerable to CSRF and XSS.

Proof of Concepts

  1. CSRF: Convert all categories to tags without user confirmation. http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&step=4

  1. XSS: Someone has commited code to debug wp-cat2tag converter: 
    echo '<!--'; print_r($_POST); print_r($_GET); echo '-->';
    It allows XSS attacks: 
    http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&--><script>alert(/XSS/)</script>

Attachments

importers.diff (2.6 kB) - added by xknown on 08/25/07 02:57:39.
Avoid CSRF and XSS on some importers

Change History

08/25/07 02:57:39 changed by xknown

  • attachment importers.diff added.

Avoid CSRF and XSS on some importers

08/25/07 03:25:12 changed by rob1n

  • keywords set to has-patch commit.
  • priority changed from normal to high.
  • severity changed from normal to major.
  • milestone set to 2.3.

I'm partially to blame for the UTW importer (didn't check it over before committing) and wholly to blame for the second one (bad coding).

+2 to the patch.

08/25/07 17:07:10 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [5941]) Add nonces to tag importers. Props xknown. fixes #4811