[wp-trac] [WordPress Trac] #4689: Wordpress uploads.php Cross-Site
Scripting Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 31 20:04:56 GMT 2007
#4689: Wordpress uploads.php Cross-Site Scripting Vulnerability
-----------------------------+----------------------------------------------
Reporter: BenjaminFlesch | Owner: anonymous
Type: enhancement | Status: new
Priority: highest omg bbq | Milestone:
Component: Security | Version: 2.2.1
Severity: critical | Keywords:
-----------------------------+----------------------------------------------
In /upload.php the parameter style is prone to XSS Attacks when editing
Temporary Uploads (they usually have a negative ID). An attack could look
like this:
/upload.php?style=%22%3E{shellcode}&tab=upload&post_id=-1337
Description:
http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/
Patch:
// IDs should be integers
$ID = (int) $ID;
$post_id = (int) $post_id;
*$style = preg_replace('/[^A-Za-z]/', '', $style);
add the line marked with the * to upload.php behind the $post_id one
--
Ticket URL: <http://trac.wordpress.org/ticket/4689>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list