[waraxe-2007-SA#059] - XSS in WordPress 2.3 Oct 27 2007 07:18PM
come2waraxe yahoo com

[waraxe-2007-SA#059] - XSS in WordPress 2.3


Author: Janek Vind "waraxe"

Date: 27. October 2007

Location: Estonia, Tartu

Web: http://www.waraxe.us/advisory-59.html

Target software description:


WordPress is a state-of-the-art semantic personal publishing platform

with a focus on aesthetics, web standards, and usability.

To run WordPress your host just needs a couple of things:

PHP version 4.2 or greater

MySQL version 4.0 or greater

Vulnerabilities: Cross-Site Scripting (XSS) in "edit-post-rows.php"


Let's have a look inside "/wp-admin/edit-post-rows.php":

------------>[source code]<------------

<?php foreach($posts_columns as $column_display_name) { ?>

<th scope="col"><?php echo $column_display_name; ?></th>

<?php } ?>

------------>[/source code]<-----------

As we can see, array "posts_columns" is uninitialized and if we execute

this php script directly, then arbitrary value for that variable can be

delivered. This means, that reflective XSS exists here. And of course,

"register_globals" must be "on" for this exploit to be successful.

Proof of concept:


//-----> See ya soon and have a nice day ;) <-----//

How to fix:


Get latest WordPress version 2.3.1:


... and update ASAP :)



Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb

and anyone else who know me!

Greetings to Raido Kerna.

Tervitusi Torufoorumi rahvale!



come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:


SHA Hash Calculator - http://sha1-hash-online.waraxe.us/

Biography Database - http://www.biosaxe.com/

---------------------------------- [ EOF ] ----------------------------

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus