|
2010-12-29, 05:29 PM | #1 | |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
Wordpress 3.0.4 XSS critical update
http://wordpress.org/news/2010/12/3-0-4-update/
Quote:
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
|
2010-12-29, 05:40 PM | #2 |
Selling porn allows me to stay in a constant state of Bliss - ain't that a trip!
Join Date: Apr 2003
Posts: 3,914
|
Do you have a sense of what the vulnerability is? Have you seen or heard of anything exploited yet?
|
2010-12-29, 05:48 PM | #3 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
I haven't pulled down 3.0.3 and 3.0.4 yet to see what they changed. I've never understood why anyone tries to clean up data... if it doesn't match your validation, it should be declined.
I suspect the error might be in the commenting or post section as that is the only place that library seems to be called - so, if your blog doesn't have comments, it may not be vulnerable. However, it could be in the user's bio field, and an admin that views a users profile could leak the admin cookie. I'll take a look later, just seemed prudent to let people know earlier rather than later.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2010-12-29, 06:00 PM | #4 |
Nobody gets into heaven without a glowstick
|
Good info. Thanks for the heads up! Updating my WP sites now...
__________________
Dirty Old Men Sponsors - gay & straight |
2010-12-29, 07:17 PM | #5 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
changeset
http://core.trac.wordpress.org/chang...2/branches/3.0 basically, anywhere someone can enter input that might contain html.. comments, bio, posts, etc. can be exploited.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
2010-12-29, 07:35 PM | #6 |
Selling porn allows me to stay in a constant state of Bliss - ain't that a trip!
Join Date: Apr 2003
Posts: 3,914
|
Damn, you gotta be some sort of frikking genius or savant to understand that page.
But sounds fucked up. What happens if you have comments set to approve only? Does the exploit still get you? |
2010-12-29, 08:05 PM | #7 |
old enough to be Grandma Scrotum
|
Would this exploit apply to older versions of WP?
__________________
Promote Bright Desire |
2010-12-29, 08:26 PM | #8 |
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
I believe based on what they changed, that almost every version of wordpress is vulnerable. KSES was their 'end-all be-all' solution to html sanitization, and, it has a pretty big hole. Any place you can enter text, that could potentially include html, would be possible to exploit.
While <script> was filtered out correctly, it appears that <SCRIPT> was not. If the comment is set to approve only, it is possible that a script could be written that could expose your auth information - not the password, but the auth token. A savvy enough person could use that to get into wordpress. Alternatively they could do an iframe exploit that could expose you to malicious content just by viewing the content. I'm not entirely sure where they use KSES for sanitization, but, it looks like almost every input calls it. Not really a thrilling thought.
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
|
|