WordPress XSS and HTML injection

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, helpout@xxxxxxxxxxxxx, sec@xxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: WordPress XSS and HTML injection
From: Nicolas Montoza <xonico@xxxxxxxxx>
Date: Tue, 12 Apr 2005 03:47:53 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=mGxRZTbDLysTUUTwJuFSXan2BDfysKNMtGhcwAMFhczhKVc4lNUgCnvRTsyew0BNrlpSAI/MrgAaa+vA+KN5cxfv2dqZkspgTi8jYPO1pm77CZN/541yCRdcH8IRE5QLgWR67dHb6AGNV5aQLTdQvcN773gn+PRfPBTOMG1s/IM=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Nicolas Montoza <xonico@xxxxxxxxx>

============================================================
Title: WordPress XSS and HTML injection
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 12/04/2005
Severity: Medium. users can obtain cookies of other users and defacement website
Affected version: <= 1.5
============================================================

============================================================
*Summary
http://wordpress.org. Wordpress is a popular blogging system built on
PHP (the scripting language) and is licensed under the GPL. It is free
software supported by a large and vibrant community of users. You can
use WordPress as a stand-alone application to publish your web log, or
incorporate its functionality into an existing site.

============================================================
*Problem Description:
Bug is in the content and  title of post, when not controlling the
entrance of  characters, being able to inject HTML code

============================================================
*Example:
Type in the title or content of post

  <script>alert(document.cookie)</script>

  <iframe src=http://othersite/sb.php>

============================================================
*Fix:
  wordpress\wp-includes\template-functions-post.php

function get_the_title($id = 0) {
        .
        .
        .
        return $title;
}

replace for by function

function get_the_title($id = 0) {
        .
        .
        .
        $sb_convert = $output;
        $sb_input =  array("<",">","(",")");
        $sb_output = array("&lt;","&gt;","&#40;","&#41;");
        $output = str_replace($sb_input, $sb_output, $sb_convert);
        return $title;
}


function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
        .
        .
        .
        return $output;
}

replace for by function

function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
        .
        .
        .
        $sb_convert = $output;
        $sb_input =  array("<",">","(",")");
        $sb_output = array("&lt;","&gt;","&#40;","&#41;");
        $output = str_replace($sb_input, $sb_output, $sb_convert);
        return $output;
}

============================================================
-- 
 SoulBlack - Security Research
 http://www.soulblack.com.ar

Prev by Date: RE: iDEFENSE Security Advisory 04.08.05: Microsoft Multiple E-Mail Client Address Spoofing Vulnerability
Next by Date: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
Previous by thread: Window Washer 6.0: False Sense of Security
Next by thread: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
Index(es):
- Date
- Thread