[wp-hackers] Reputed XSS issue with WordPress (templates.php)
wordpress at nazgul.nu
Tue Feb 13 16:44:15 GMT 2007
This can be triggered by users without the edit files capability. You just
have to trick somebody with that capability to click that specially
crafted link, by mailing a link or posting it in a comment for instance.
Also don't forget that a lot of admins have the Remember Me switch toggled
(bad!), which invalidates the "you need to login" approach, because that
happens automatically behind the scenes.
Bas Bosman (Nazgul)
> That's hardly a security problem... if someone has the ability to edit
> files, they can do much more than that.
> On 2/13/07, Alex GÃ¼nsche <ag.ml2007 at zirona.com> wrote:
>> Today, SecurityFocus reports a Cross-Site Scripting vulnerability for
>> WordPress (http://www.securityfocus.com/bid/22534).
>> However, (at least in my opinion) this is not a real security issue,
>> because a user who wants to execute the URL given in the PoC exploit
>> code must be logged in and have at least the capability to edit files.
>> If the user is not logged in, he will be asked to do so; if he doesn't
>> have the capabilities to edit files, the script will abort immediately.
>> Please see wp-admin/templates.php, ll. 37-60, especially ll. 40-41.
>> So, it might be possible that a user can inject JS via the URL as
>> displayed in the PoC, but when he is able to do this, he would actually
>> be able to write the JS into one of the other WP files anyway (given
>> they are server-writable). The capability of editing files is usually a
>> privilege to administrators in WordPress.
>> Best regards,
>> Alex GÃ¼nsche
>> Alex GÃ¼nsche, Zirona OpenSource-Consulting
>> work: http://www.zirona.com/ | leisure: http://www.roggenrohl.net
>> PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers