[38336] in bugtraq
WordPress XSS and HTML injection
daemon@ATHENA.MIT.EDU (Nicolas Montoza)
Tue Apr 12 22:59:27 2005
Message-ID: <d5a0834f050411234731dcae01@mail.gmail.com>
Date: Tue, 12 Apr 2005 03:47:53 -0300
From: Nicolas Montoza <xonico@gmail.com>
Reply-To: Nicolas Montoza <xonico@gmail.com>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
news@securiteam.com, helpout@wordpress.org, sec@soulblack.com.ar,
bugs@securitytracker.com, submissions@packetstormsecurity.org,
vuln@secunia.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
============================================================
Title: WordPress XSS and HTML injection
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 12/04/2005
Severity: Medium. users can obtain cookies of other users and defacement website
Affected version: <= 1.5
============================================================
============================================================
*Summary
http://wordpress.org. Wordpress is a popular blogging system built on
PHP (the scripting language) and is licensed under the GPL. It is free
software supported by a large and vibrant community of users. You can
use WordPress as a stand-alone application to publish your web log, or
incorporate its functionality into an existing site.
============================================================
*Problem Description:
Bug is in the content and title of post, when not controlling the
entrance of characters, being able to inject HTML code
============================================================
*Example:
Type in the title or content of post
<script>alert(document.cookie)</script>
<iframe src=http://othersite/sb.php>
============================================================
*Fix:
wordpress\wp-includes\template-functions-post.php
function get_the_title($id = 0) {
.
.
.
return $title;
}
replace for by function
function get_the_title($id = 0) {
.
.
.
$sb_convert = $output;
$sb_input = array("<",">","(",")");
$sb_output = array("<",">","(",")");
$output = str_replace($sb_input, $sb_output, $sb_convert);
return $title;
}
function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
.
.
.
return $output;
}
replace for by function
function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
.
.
.
$sb_convert = $output;
$sb_input = array("<",">","(",")");
$sb_output = array("<",">","(",")");
$output = str_replace($sb_input, $sb_output, $sb_convert);
return $output;
}
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
