[wp-trac] Re: [WordPress Trac] #3879: XSS in 2.1.1 in AYS for HTTP GET requests

WordPress Trac wp-trac at lists.automattic.com
Tue Feb 27 23:14:12 GMT 2007 

#3879: XSS in 2.1.1 in AYS for HTTP GET requests
----------------------+-----------------------------------------------------
 Reporter:  Reaper-X  |        Owner:  anonymous
     Type:  defect    |       Status:  closed   
 Priority:  low       |    Milestone:  2.1.2    
Component:  Security  |      Version:  2.1.1    
 Severity:  normal    |   Resolution:  fixed    
 Keywords:            |  
----------------------+-----------------------------------------------------
Changes (by markjaquith):

  * summary:  XSS in 2.1.1 input passed to the "post" parameter in wp-
              admin/post.php => XSS in 2.1.1 in AYS for HTTP
              GET requests

Old description:

> http://www.securityfocus.com/archive/1/461351/30/0/ threaded.
> http://secunia.com/advisories/24316/ reads:
>
> Input passed to the "post" parameter in wp-admin/post.php (when "action"
> is set to "delete") is not properly sanitised before being returned to a
> user. This can be exploited to execute arbitrary HTML and script code in
> a user's browser session in context of an affected site.
>
> Successful exploitation requires that the target user is logged in as
> administrator.

New description:

 http://www.securityfocus.com/archive/1/461351/30/0/ threaded.
 http://secunia.com/advisories/24316/ reads:

 Input passed to the "post" parameter in wp-admin/post.php (when "action"
 is set to "delete") is not properly sanitised before being returned to a
 user. This can be exploited to execute arbitrary HTML and script code in a
 user's browser session in context of an affected site.

 Successful exploitation requires that the target user is logged in as
 administrator.

 ----

 The exploit is actually more general than that: for any action that
 triggers nonce verification, the URL for the "Yes" action is not properly
 sanitized, and a specially crafted URL can escape from the link's
 {{{href}}} attribute and inject arbitrary  HTML.  The "delete" action and
 the "post" parameter just happen to be the ones used in the example.

Comment:

 Just clearing up some confusion... some people think that this has
 something to do with deleting posts because of the specific example that
 was released.  The exploit is more general than that, and it is purely an
 XSS hole.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3879#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list