[wp-hackers] Reputed XSS issue with WordPress (templates.php)

Bas Bosman wordpress at nazgul.nu
Tue Feb 13 16:44:15 GMT 2007


This can be triggered by users without the edit files capability. You just
have to trick somebody with that capability to click that specially
crafted link, by mailing a link or posting it in a comment for instance.

Also don't forget that a lot of admins have the Remember Me switch toggled
(bad!), which invalidates the "you need to login" approach, because that
happens automatically behind the scenes.

Regards,
Bas Bosman (Nazgul)

> That's hardly a security problem... if someone has the ability to edit
> files, they can do much more than that.
>
> On 2/13/07, Alex Günsche <ag.ml2007 at zirona.com> wrote:
>>
>> Hello,
>>
>> Today, SecurityFocus reports a Cross-Site Scripting vulnerability for
>> WordPress (http://www.securityfocus.com/bid/22534).
>>
>> However, (at least in my opinion) this is not a real security issue,
>> because a user who wants to execute the URL given in the PoC exploit
>> code must be logged in and have at least the capability to edit files.
>> If the user is not logged in, he will be asked to do so; if he doesn't
>> have the capabilities to edit files, the script will abort immediately.
>> Please see wp-admin/templates.php, ll. 37-60, especially ll. 40-41.
>>
>> So, it might be possible that a user can inject JS via the URL as
>> displayed in the PoC, but when he is able to do this, he would actually
>> be able to write the JS into one of the other WP files anyway (given
>> they are server-writable). The capability of editing files is usually a
>> privilege to administrators in WordPress.
>>
>>
>> Best regards,
>> Alex Günsche
>>
>> --
>> Alex Günsche, Zirona OpenSource-Consulting
>> work: http://www.zirona.com/ | leisure: http://www.roggenrohl.net
>> PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>




More information about the wp-hackers mailing list