WordPress XSS under function wp_title() Mar 09 2007 10:16PM
g30rg3_x (g30rg3x gmail com)
ChX Security |
Advisory #1 |

-> "WordPress XSS under function wp_title()" <-

Data |
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)

Program Description |
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

Overview |
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

WorkAround |
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
GET parameter.

Proof Of Concept|
ChX Security will not release any proof of concept.

The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug...

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

Dates |
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
Shouts |
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.

ChX Security
(c) 2007

Copy: http://chxsecurity.org/advisories/adv-1-mid.txt

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus