1Likes
LinkBack URL
About LinkBacks-
08-21-2011, 05:00 AM #1Garage Member
- Join Date
- Jul 2010
- Posts
- 52
- Thanks
- 34
- Thanked 18 Times in 7 Posts
Wordpress 3.2.1 Core (post-template.php) Improper Sanitizing(Persistent XSS)
================================================== =====
Improper sanitized code in Wordpress Core Module(post-template.php)
Causing Cross site Scripting.
Author can simply Update his Post title to </a><script>alert('1');</script><a>
and its will give out alert on index page and post page.
Below are the temporary patches for fixing.
Vendor notified about this vulnerability.
/*This will patch XSS in Index Page*/
Vulnerable Code Part 1
Vulnerable Code Part 2PHP Code:function the_title($before = '', $after = '', $echo = true) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$title = $before . $title . $after;
if ( $echo )
echo htmlentities($title); /* Line No 52 Patch*/
else
return htmlentities($title); /* Line No 54 Patch*/
}
PHP Code:function the_title_attribute( $args = '' ) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$defaults = array('before' => '', 'after' => '', 'echo' => true);
$r = wp_parse_args($args, $defaults);
extract( $r, EXTR_SKIP );
$title = $before . $title . $after;
$title = esc_attr(strip_tags($title));
if ( $echo )
echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
else
return htmlentities($title); /* Line No 89 Patch*/
}
/*This will Patch XSS in Post page*/
PHP Code:Vulnerable Code Part 3
function get_the_title( $id = 0 ) {
$post = &get_post($id);
$title = isset($post->post_title) ? $post->post_title : '';
$id = isset($post->ID) ? $post->ID : (int) $id;
if ( !is_admin() ) {
if ( !empty($post->post_password) ) {
$protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
$title = sprintf($protected_title_format, $title);
} else if ( isset($post->post_status) && 'private' == $post->post_status ) {
$private_title_format = apply_filters('private_title_format', __('Private: %s'));
$title = sprintf($private_title_format, $title);
}
}
return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/
}
Last edited by silentph33r; 02-16-2012 at 06:02 PM.
-
The Following 7 Users Say Thank You to silentph33r For This Useful Post:
41.w4r10r (08-22-2011), AnArKI (08-21-2011), cool (08-21-2011), d4rkd4wn (08-22-2011), fb1h2s (08-21-2011), keval_domadia (08-21-2011), prashant_uniyal (08-21-2011)
-
08-21-2011, 05:21 AM #2Garage Newcomer
- Join Date
- Dec 2010
- Posts
- 38
- Thanks
- 7
- Thanked 19 Times in 7 Posts
WP's Core module vulnerable to XSS reminded about one of the status updates that Rahul had put once on Facebook about, one of his senior trying basic SQLi on Gmail and vote was whether he was optimistic or stupid.
I would reply, optimistic! \m/
Never under-estimate anyone and......... never over-estimate either!31337 - 7H15 15 4n 4nn071ng!
Study English - write Eleet
-
08-21-2011, 11:09 AM #3Security Researcher
- Join Date
- Jul 2010
- Location
- India
- Posts
- 596
- Blog Entries
- 23
- Thanks
- 279
- Thanked 150 Times in 76 Posts
Great Work keep it up, , some good action
, and few points to note.'
1) Since it's WP core module, there are many vulnerability vendors which pays for Vbulletin and Wordpress bugs.
2) Was this a full disclosure ? or did u contact the vendor(either way not an issue , just a doubt).
3) You kind of missed to put in detail of the attack surface, like is it possible for (guest, user) accounts to exploit this or only admin could trigger the bug . These sort of info would be helpful to N00bs like us .
Hacking Is a Matter of Time Knowledge and Patience
-
08-21-2011, 11:20 AM #4Garage Member
- Join Date
- Jul 2010
- Posts
- 52
- Thanks
- 34
- Thanked 18 Times in 7 Posts
this can be said as Full Disclosure (With Patch)
And i also notified the vendor and this can be triggered with user having author account.
-
08-22-2011, 11:09 AM #5InfoSec Consultant
- Join Date
- Jul 2010
- Location
- Pune
- Posts
- 301
- Thanks
- 31
- Thanked 82 Times in 37 Posts
Nice find
Originally Posted by silentph33r
also note fb1's suggestion no 1
-
08-22-2011, 11:10 AM #6InfoSec Consultant
- Join Date
- Jul 2010
- Location
- Pune
- Posts
- 301
- Thanks
- 31
- Thanked 82 Times in 37 Posts
Nice find Originally Posted by silentph33r
also note fb1's suggestion no 1
-
09-04-2011, 07:23 PM #7Garage Newcomer
- Join Date
- Sep 2011
- Posts
- 1
- Thanks
- 0
- Thanked 0 Times in 0 Posts
This wasnt found by you, it was found by t0asty from Belegit.
Why did you rip him off? Im sure hell be pissed...
-
09-05-2011, 10:26 AM #8Garage Hyper Addict
- Join Date
- Jul 2010
- Location
- irc.freenode.net #g4h
- Posts
- 644
- Thanks
- 140
- Thanked 270 Times in 109 Posts
Banned! Originally Posted by lol
Should have presented proof instead of just blaming.[*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
------> become the master!!! <------
[*] Everyone has a will to WIN but very few have the will to prepare to WIN
[*] Invest yourself in everything you do, there's fun in being serious
-
11-22-2011, 03:53 AM #9Garage Newcomer
- Join Date
- Nov 2011
- Posts
- 1
- Thanks
- 0
- Thanked 0 Times in 0 Posts
I suggest another patch, instead parsing $title variables through htmlentities function, thus showing wrong UTF-8 characters in post titles, we could use the strip_tags and esc_attr functions to sanitize.
PHP Code:function the_title($before = '', $after = '', $echo = true) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$title = $before . $title . $after;
$title = esc_attr(strip_tags($title)); // Add this PATCH just after line #49
if ( $echo )
echo $title;
else
return $title;
}
PHP Code:function the_title_attribute( $args = '' ) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$defaults = array('before' => '', 'after' => '', 'echo' => true);
$r = wp_parse_args($args, $defaults);
extract( $r, EXTR_SKIP );
$title = $before . $title . $after;
$title = esc_attr(strip_tags($title)); // Add this PATCH line after line #83
if ( $echo )
echo $title;
else
return $title;
}
Now the titles on posts are sanitized and wont allow Cross-Site Scripting. Hope this help.PHP Code:function get_the_title( $id = 0 ) {
$post = &get_post($id);
$title = isset($post->post_title) ? $post->post_title : '';
$id = isset($post->ID) ? $post->ID : (int) $id;
if ( !is_admin() ) {
if ( !empty($post->post_password) ) {
$protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
$title = sprintf($protected_title_format, $title);
} else if ( isset($post->post_status) && 'private' == $post->post_status ) {
$private_title_format = apply_filters('private_title_format', __('Private: %s'));
$title = sprintf($private_title_format, $title);
}
}
return esc_attr(apply_filters( 'the_title', $title, $id )); // Patch to line #119
}
fb1h2s likes this.
-
01-20-2012, 05:03 AM #10Garage Newcomer
- Join Date
- Dec 2011
- Posts
- 27
- Thanks
- 9
- Thanked 0 Times in 0 Posts
Cong0 silent for ur first exploit..(peace out if u wrote another before
)
Reply With QuoteLinkBacks (?)
-
05-26-2012, 06:34 AM
-
04-06-2012, 08:43 AM
-
01-21-2012, 06:07 AM
-
01-02-2012, 01:17 PM
-
10-16-2011, 01:52 AM
-
09-07-2011, 05:18 PM
-
Wordpress 3.2.1 Core Module XSS / ??????? ???????????? ? ???-??????????? / ?????????
Refback This thread08-24-2011, 08:37 AM -
08-24-2011, 12:18 AM
-
08-21-2011, 02:26 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Open challenge to Design the logo...
Today, 12:26 PM in Request Zone