Vulnerability Title: WordPress Persistent XSS
Author: David Kierznowski
Homepage: http://michaeldaw.org
Software Vendor: WordPress Persistent XSS
Versions affected: Confirmed in v2.0.5 (latest)
WordPress is a popular open source blogging software.
A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5.
Discussion:
When editing files a shortcut is created titled recently accessed files. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with /. We can get around this by using open IMG tags; this works under FF and IE.
Vulnerable code:
wp-admin/templates.php:
[line 22]$recents = get_option('recently_edited');
[line 72]update_recently_edited($file);
[Line 116]:foreach ($recents as $recent) :
echo ""
. get_file_description(basename($recent))
. "";
Vulnerable function:
function get_file_description($file) {
global $wp_file_descriptions;
if (isset ($wp_file_descriptions[basename($file)])) {
return $wp_file_descriptions[basename($file)];
}
elseif (file_exists(ABSPATH.$file)) {
$template_data = implode('', file(ABSPATH.$file));
if (preg_match("|Template Name:(.*)|i",
$template_data, $name))
return $name[1];
}
return basename($file);
}
Proof of concept:
https://blogsite/wp/wp-admin/templates.php?file=![]()
Temp Fix:
Comment out the following line in wp-admin/templates.php
[Line 72] update_recently_edited($file);
WordPress was contacted: 26/12/06 22:04 BST
Reply received: 27/12/06 06:11 BST
WordPress has fixed this for v2.0.6 and a patch has been released
for v2.0.5, see
http://trac.wordpress.org/changeset/4665