[wp-trac] [WordPress Trac] #9138: Mask HTML output in _wp_dashboard_recent_comments_row()

WordPress Trac wp-trac at lists.automattic.com
Sun Feb 15 12:43:41 GMT 2009

#9138: Mask HTML output in _wp_dashboard_recent_comments_row()
 Reporter:  mastermind    |       Owner:  ryan
     Type:  defect (bug)  |      Status:  new 
 Priority:  normal        |   Milestone:  2.8 
Component:  Security      |     Version:      
 Severity:  normal        |    Keywords:      
 In _wp_dashboard_recent_comments_row(), dashboard.php, the post_title of a
 post is printed as in the database. HTML special characters are not

 This is not a security problem by itself, but it can facilate XSS
 exploits. For example, if an attacker manages to insert JavaScript into a
 post's title and leaves a comment for this post, then as soon as an admin
 loads the dashboard, the JavaScript is executed. (I did not make this up;
 this is a scenario with a vulnerable plugin, for which I was able to
 create a PoC exploit.)

 Luckily, with WP 2.7+ and PHP 5.2+, the auth cookies are HttpOnly. But
 they aren't on older setups, and there are enough other nasty XSS attacks
 (e.g. in conjunction with Social Engineering), which can make this
 potentially dangerous.

 1. {{{UPDATE wp_posts SET post_title = CONCAT(post_title, '<script
 type="text/javascript">alert("XSS!");</script>') WHERE ID = 1;}}}[[BR]]
 2. To be sure that the comment with the accoring post_title is shown in
 the dashboard, leave a comment[[BR]]
 3. Go to the admin dashboard.

 In dashboard.php:483, change:[[BR]]
 {{{$comment_post_title = get_the_title( $comment->comment_post_ID );}}}

 {{{$comment_post_title = htmlspecialchars( get_the_title(
 $comment->comment_post_ID ) );}}}

Ticket URL: <https://core.trac.wordpress.org/ticket/9138>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list