Thread: Wordpress 3.2.1 Core (post-template.php) Improper Sanitizing(Persistent XSS)

WP's Core module vulnerable to XSS reminded about one of the status updates that Rahul had put once on Facebook about, one of his senior trying basic SQLi on Gmail and vote was whether he was optimistic or stupid.
I would reply, optimistic! \m/

Never under-estimate anyone and......... never over-estimate either!

Great Work keep it up, , some good action , and few points to note.'

1) Since it's WP core module, there are many vulnerability vendors which pays for Vbulletin and Wordpress bugs.
2) Was this a full disclosure ? or did u contact the vendor(either way not an issue , just a doubt).
3) You kind of missed to put in detail of the attack surface, like is it possible for (guest, user) accounts to exploit this or only admin could trigger the bug . These sort of info would be helpful to N00bs like us .

this can be said as Full Disclosure (With Patch)

And i also notified the vendor and this can be triggered with user having author account.

Originally Posted by silentph33r

this can be said as Full Disclosure (With Patch)

And i also notified the vendor and this can be triggered with user having author account.

Nice find also note fb1's suggestion no 1

Originally Posted by silentph33r

this can be said as Full Disclosure (With Patch)

And i also notified the vendor and this can be triggered with user having author account.

Nice find also note fb1's suggestion no 1

This wasnt found by you, it was found by t0asty from Belegit.

Why did you rip him off? Im sure hell be pissed...

Originally Posted by lol

This wasnt found by you, it was found by t0asty from Belegit.

Why did you rip him off? Im sure hell be pissed...

Banned!
Should have presented proof instead of just blaming.

I suggest another patch, instead parsing $title variables through htmlentities function, thus showing wrong UTF-8 characters in post titles, we could use the strip_tags and esc_attr functions to sanitize.

PHP Code:

function the_title($before = '', $after = '', $echo = true) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $title = $before . $title . $after;
    $title = esc_attr(strip_tags($title)); // Add this PATCH just after line #49
    if ( $echo )
        echo $title;
    else
        return $title;
} 


PHP Code:

function the_title_attribute( $args = '' ) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $defaults = array('before' => '', 'after' =>  '', 'echo' => true);
    $r = wp_parse_args($args, $defaults);
    extract( $r, EXTR_SKIP );


    $title = $before . $title . $after;
    $title = esc_attr(strip_tags($title)); // Add this PATCH line after line #83

    if ( $echo )
        echo $title;
    else
        return $title;
} 


PHP Code:

function get_the_title( $id = 0 ) {
    $post = &get_post($id);

    $title = isset($post->post_title) ? $post->post_title : '';
    $id = isset($post->ID) ? $post->ID : (int) $id;

    if ( !is_admin() ) {
        if ( !empty($post->post_password) ) {
            $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
            $title = sprintf($protected_title_format, $title);
        } else if ( isset($post->post_status) && 'private' == $post->post_status ) {
            $private_title_format = apply_filters('private_title_format', __('Private: %s'));
            $title = sprintf($private_title_format, $title);
        }
    }
        return esc_attr(apply_filters( 'the_title', $title, $id )); // Patch to line #119 
} 


Now the titles on posts are sanitized and wont allow Cross-Site Scripting. Hope this help.

Cong0 silent for ur first exploit..(peace out if u wrote another before)