[wp-hackers] Reputed XSS issue with WordPress (templates.php)

Alex Günsche ag.ml2007 at zirona.com
Tue Feb 13 15:01:54 GMT 2007


Today, SecurityFocus reports a Cross-Site Scripting vulnerability for
WordPress (http://www.securityfocus.com/bid/22534).

However, (at least in my opinion) this is not a real security issue,
because a user who wants to execute the URL given in the PoC exploit
code must be logged in and have at least the capability to edit files.
If the user is not logged in, he will be asked to do so; if he doesn't
have the capabilities to edit files, the script will abort immediately.
Please see wp-admin/templates.php, ll. 37-60, especially ll. 40-41.

So, it might be possible that a user can inject JS via the URL as
displayed in the PoC, but when he is able to do this, he would actually
be able to write the JS into one of the other WP files anyway (given
they are server-writable). The capability of editing files is usually a
privilege to administrators in WordPress.

Best regards,
Alex Günsche

Alex Günsche, Zirona OpenSource-Consulting
work: http://www.zirona.com/ | leisure: http://www.roggenrohl.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc

More information about the wp-hackers mailing list