Package: wordpress Severity: grave Tags: security Justification: user security hole
Nicolas Montoza <[EMAIL PROTECTED]> reported two security vulnerabilities in Wordpress, which insert verbose, as I could not find a public WWW reference for them. Cheers, Moritz ============================================================ Title: WordPress XSS and HTML injection Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 12/04/2005 Severity: Medium. users can obtain cookies of other users and defacement website Affected version: <= 1.5 ============================================================ ============================================================ *Summary http://wordpress.org. Wordpress is a popular blogging system built on PHP (the scripting language) and is licensed under the GPL. It is free software supported by a large and vibrant community of users. You can use WordPress as a stand-alone application to publish your web log, or incorporate its functionality into an existing site. ============================================================ *Problem Description: Bug is in the content and title of post, when not controlling the entrance of characters, being able to inject HTML code ============================================================ *Example: Type in the title or content of post <script>alert(document.cookie)</script> <iframe src=http://othersite/sb.php> ============================================================ *Fix: wordpress\wp-includes\template-functions-post.php function get_the_title($id = 0) { . . . return $title; } replace for by function function get_the_title($id = 0) { . . . $sb_convert = $output; $sb_input = array("<",">","(",")"); $sb_output = array("<",">","(",")"); $output = str_replace($sb_input, $sb_output, $sb_convert); return $title; } function get_the_content($more_link_text = '(more...)', $stripteaser = 0, $more_file = '') { . . . return $output; } replace for by function function get_the_content($more_link_text = '(more...)', $stripteaser = 0, $more_file = '') { . . . $sb_convert = $output; $sb_input = array("<",">","(",")"); $sb_output = array("<",">","(",")"); $output = str_replace($sb_input, $sb_output, $sb_convert); return $output; } ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]