WordPress XSS under function wp_title()

2007.04.10
Credit: g30rg3_x
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

_____________ ChX Security | Advisory #1 | ============= -> "WordPress XSS under function wp_title()" <- ______ Data | ====== Author: g30rg3_x <g30rg3x_at_gmail_dot_com> Program: WordPress <http://wordpress.org/> Severity: Less Critical. Type of Advisory: Mid Disclosure. Affected/Tested Versions: -> Series 2.0.x: <= 2.0.10-alpha -> Series 2.1.x: <= 2.1.3-alpha -> Series SVN latest: <= 2.2-bleeding (Revision 5002) ____________________ Program Description | ==================== WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. _________ Overview | ========= The query variable "year" inside the function "wp_title", its not sanitized so it allows a non persistent cross site scripting attack. ___________ WorkAround | =========== $title takes the value in raw (without any type of filter) of $year which is an a query variable, that can be filled with any web browser via a simply GET parameter. ________________ Proof Of Concept| ================ ChX Security will not release any proof of concept. ____________ Solution/Fix| ============ The lastest SVN Revision (greater than revision 5002) has alredy fixed this bug... http://trac.wordpress.org/changeset/5003 For series 2.1.x and 2.0.x, the vendor will fix this in the next set of dot releases. ______ Dates | ====== Bug Found: 2/03/2007 Vendor Contact: 3/03/2007 Vendor Response: 7/03/2007 Public Disclosure: 9/03/2007 _______ Shouts | ======= Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats. White Hat Powa. ChX Security http://chxsecurity.org/ (c) 2007 -- Copy: http://chxsecurity.org/advisories/adv-1-mid.txt _________________________ g30rg3_x


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top