Monday, 22 August 2011

Wordpress 3.2.1 persistent xss exploit

Wordpress 3.2.1 persistent xss exploit



Here is Wordpress 3.2.1 Core (post-template.php) Improper Sanitizing(Persistent XSS)by silentph33r aka Darshit Ashara.This is author level vulnerability

Recently wordpress vulnerabiltiy reported in timthumb & now new vulberability is discovered in core modules

Author : Darshit Ashara
Contact : john_pwnr@yahoo.com
Love to : A Gondela, Y Jaygadkar, A Dhaka, Rahul Sasi,
Team Indishell and Garage4hackers.

=======================================================
Improper sanitized code in Wordpress Core Module(post-template.php)
Causing Cross site Scripting.
and its will give out alert on index page and post page.


Below are the temporary patches for fixing.
Vendor notified about this vulnerability.



/*This will patch XSS in Index Page*/
Vulnerable Code Part 1
function the_title($before ''$after ''$echo true) {
    $title get_the_title();

    if ( strlen($title) == )
        return;

    $title $before $title $after;

    if ( $echo )
        echo htmlentities($title); /* Line No 52 Patch*/
    else
        return htmlentities($title); /* Line No 54 Patch*/}  
 Vulnerable Code Part 2
function the_title_attribute( $args = '' ) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $defaults = array('before' => '', 'after' =>  '', 'echo' => true);
    $r = wp_parse_args($args, $defaults);
    extract( $r, EXTR_SKIP );


    $title = $before . $title . $after;
    $title = esc_attr(strip_tags($title));

    if ( $echo )
        echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
    else
        return htmlentities($title); /* Line No 89 Patch*/
Patch for this wordpress vulnerability

Vulnerable Code Part 3
function get_the_title( $id = 0 ) {
    $post = &get_post($id);

    $title = isset($post->post_title) ? $post->post_title : '';
    $id = isset($post->ID) ? $post->ID : (int) $id;

    if ( !is_admin() ) {
        if ( !empty($post->post_password) ) {
            $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
            $title = sprintf($protected_title_format, $title);
        } else if ( isset($post->post_status) && 'private' == $post->post_status ) {
            $private_title_format = apply_filters('private_title_format', __('Private: %s'));
            $title = sprintf($private_title_format, $title);
        }
    }
    return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)