WordPress XSS under function wp_title()

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WordPress XSS under function wp_title()
From: g30rg3_x <g30rg3x@xxxxxxxxx>
Date: Fri, 9 Mar 2007 16:16:25 -0600
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=lLg/uSVKUKGLNBIUxSzTar+QyUuXaMJcRYx9PQMw/JOGwBeSkY+DSEOwUV9skKQkvJPPFf4/psOx6KSYKTlyCKF8NkydpGgfC0Yzqf6PdZ44h/YHRmSsZpLq8XbE3B1fgKWubrQAfpiX5Zd5V93g7rfm71vgek1ZVKCkGjcRve8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=W1o4n7rl3he5Zt39P0ic/ABOBjXLYdkMyfbJ8D3ubXf+nLQKp5JArVhuOqU+pzgEJQ0WCHsbBovjtkevFUNUZZVgnZgUmTakokDL9xujVhhAGOzC46vebSPDHjPXJncfEJH8PZtdk2rPKao4dJEC6ZLm9oRuKEjYGQwoKxMD1ow=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

_____________
ChX Security |
Advisory #1  |
=============

->    "WordPress XSS under function wp_title()"    <-

______
Data |
======
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)

____________________
Program Description |
====================
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

_________
Overview |
=========
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

___________
WorkAround |
===========
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
GET parameter.

________________
Proof Of Concept|
================
ChX Security will not release any proof of concept.

____________
Solution/Fix|
============
The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug...
http://trac.wordpress.org/changeset/5003

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

______
Dates |
======
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
_______
Shouts |
=======
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.

           ChX Security
      http://chxsecurity.org/
            (c) 2007

--
Copy: http://chxsecurity.org/advisories/adv-1-mid.txt
_________________________
            g30rg3_x

Prev by Date: Re: Re[2]: Microsoft Windows Vista/2003/XP/2000 file management security issues
Next by Date: Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)
Previous by thread: [ MDKSA-2007:060 ] - Updated kernel packages fix multiple vulnerabilities and bugs
Next by thread: Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)
Index(es):
- Date
- Thread