[wp-trac] [WordPress Trac] #3973: XSRF,
XSS security hole for users with unfiltered_html capability
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 14 22:23:56 GMT 2007
#3973: XSRF,XSS security hole for users with unfiltered_html capability
-----------------------------+----------------------------------------------
Reporter: markjaquith | Owner: markjaquith
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.0.10
Component: Security | Version: 2.1.2
Severity: critical | Keywords: comment nonce form security XSS XSRF
-----------------------------+----------------------------------------------
As reported at:
http://www.virtuax.be/advisories/Advisory4-20022007.txt
Users with the {{{unfiltered_html}}} capability get to skip KSES stripping
of harmful HTML markup. An XSRF attack can be used to trick these users
into submitting comments with harmful XSS-laden markup.
Attached patch is a first stab at a solution for trunk, 2.0.x and 2.1.x
The patch alters {{{wp_nonce_field()}}} so that the form {{{name}}} can be
specified. For users with {{{unfiltered_html}}} the {{{comment_form}}}
hook is used to use {{{wp_nonce_field}}} to inject a hidden nonced field,
using a special {{{name}}}.
On comment submit, users with {{{unfiltered_html}}} have this nonce
checked. If the nonce check fails, KSES silently reverts to normal
non-{{{unfiltered_html}}} operation, zapping any XSS-esque content and
rendering the attack useless. This silent fallback is used so that themes
without the {{{comment_form}}} hook don't block
{{{unfiltered_html}}}-capable comments... they just sanitize them more
closely than they would if the theme supported the {{{comment_form}}}
hook.
Triple milestone: 2.2 (trunk), 2.1.3, 2.0.10
Trunk has been tested with this patch, and 2.1.x applied cleanly. 2.0.x
has not yet been tested.
--
Ticket URL: <http://trac.wordpress.org/ticket/3973>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list