Saturday, 8 January 2011

WordPress 3.0.4 addresses Cross-Site-Scripting flaws



In an email
to users on Thursday, WordPress urged everyone to apply the latest update in order to fix critical flaws in the input sanitation library.


The latest version of WordPress, which is available via the admin dashboard on current installations, fixes Persistent Cross-Site-Scripting (XSS) flaws in the HTML sanitation library, also known as KSES.


Matt Mullenweg, in an email to WordPress users, explained that their final message this year is both unfortunate and important.


“We've fixed a pretty critical vulnerability in WordPress' core HTML sanitation library, and because this library is used lots of places it's important that everyone update as soon as possible,” outlined Mullenweg.


“I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well,” he added.


On the WordPress blog, Mullenweg also asked that anyone familiar with the issue examine the changes as well, saying: “We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible.”


Normal XSS attacks will use the malicious code immediately, but a Persistent XSS attack is dangerous because the attack code is stored by the server. When this happens, it is permanently displayed on the rendered pages.


Whereas an attacker would need to lure victims to a compromised website to leverage a typical XSS attack, a Persistent XSS attack can sit idle and attack visitors to a given domain as and when they appear.


“On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws,” commented Chester Wisniewski, senior security advisor at Sophos Canada.


“The flaws exist in parts of the code which are case-sensitive when detecting which protocols are allowed in certain parts of the application. The update prohibits evading the rules with mixed case input.”


Updating to the latest version will take just a few minutes and is well worth the effort. In addition, users should check their plugins and ensure they are updated as well, especially as they're located in the open admin panel.

No comments:

Post a Comment