[wp-hackers] FW: WordPress XSS under function wp_title()

Ross M. W. Bennetts ross.bennetts at une.edu.au
Mon Mar 12 01:18:47 GMT 2007

-----Original Message-----
From: g30rg3_x [mailto:g30rg3x at gmail.com] 
Sent: Saturday, 10 March 2007 9:16 AM
To: bugtraq at securityfocus.com
Subject: WordPress XSS under function wp_title()

ChX Security |
Advisory #1  |

->    "WordPress XSS under function wp_title()"    <-

 Data |
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
 -> Series 2.0.x: <= 2.0.10-alpha
 -> Series 2.1.x: <= 2.1.3-alpha
 -> Series SVN latest: <= 2.2-bleeding (Revision 5002)

Program Description |
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

Overview |
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

WorkAround |
$title takes the value in raw (without any type of filter) of $year which is
a query variable, that can be filled with any web browser via a simply
GET parameter.

Proof Of Concept|
ChX Security will not release any proof of concept.

The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug...

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

Dates |
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
Shouts |
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white
White Hat Powa.

            ChX Security
             (c) 2007

Copy: http://chxsecurity.org/advisories/adv-1-mid.txt

More information about the wp-hackers mailing list