Package: wordpress
Severity: grave
Tags: security
Justification: user security hole
Nicolas Montoza <[EMAIL PROTECTED]> reported two security vulnerabilities
in Wordpress, which insert verbose, as I could not find a public WWW
reference for them.
Cheers,
Moritz
============================================================
Title: WordPress XSS and HTML injection
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 12/04/2005
Severity: Medium. users can obtain cookies of other users and defacement website
Affected version: <= 1.5
============================================================
============================================================
*Summary
http://wordpress.org. Wordpress is a popular blogging system built on
PHP (the scripting language) and is licensed under the GPL. It is free
software supported by a large and vibrant community of users. You can
use WordPress as a stand-alone application to publish your web log, or
incorporate its functionality into an existing site.
============================================================
*Problem Description:
Bug is in the content and title of post, when not controlling the
entrance of characters, being able to inject HTML code
============================================================
*Example:
Type in the title or content of post
<script>alert(document.cookie)</script>
<iframe src=http://othersite/sb.php>
============================================================
*Fix:
wordpress\wp-includes\template-functions-post.php
function get_the_title($id = 0) {
.
.
.
return $title;
}
replace for by function
function get_the_title($id = 0) {
.
.
.
$sb_convert = $output;
$sb_input = array("<",">","(",")");
$sb_output = array("<",">","(",")");
$output = str_replace($sb_input, $sb_output, $sb_convert);
return $title;
}
function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
.
.
.
return $output;
}
replace for by function
function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
.
.
.
$sb_convert = $output;
$sb_input = array("<",">","(",")");
$sb_output = array("<",">","(",")");
$output = str_replace($sb_input, $sb_output, $sb_convert);
return $output;
}
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
