[wp-trac] [WordPress Trac] #18250: I/O Sanity Failures in _wp_specialchars()
WordPress Trac
wp-trac at lists.automattic.com
Mon Jul 25 21:07:10 UTC 2011
#18250: I/O Sanity Failures in _wp_specialchars()
--------------------------+-----------------------------
Reporter: miqrogroove | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 2.8
Severity: critical | Keywords:
--------------------------+-----------------------------
'''Background'''
While reviewing and re-testing code from #12284 and [17171], I realized we
had missed something nearby and in plain sight:
{{{
$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&',
';' ), $string );
}}}
This bug was reported to the security group during the 3.2 RC1 development
cycle.
A patch was submitted to the security group prior to 3.2 RC1.
Today we agreed to add the patch to a Trac ticket.
I believe this bug affects all versions of WordPress from version 2.8
through 3.2.1.
'''Vulnerability'''
Anonymous users can break comment feed validation by injecting the phrase
|wp_entity| into the body of any comment in the feed.
Any other output from _wp_specialchars() would be similarly vulnerable,
but the comment feed is the most obvious example.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18250>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list