lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 12 Apr 2005 03:47:53 -0300
From: Nicolas Montoza <xonico@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
	news@...uriteam.com, helpout@...dpress.org, sec@...lblack.com.ar,
	bugs@...uritytracker.com, submissions@...ketstormsecurity.org,
	vuln@...unia.com
Subject: WordPress XSS and HTML injection


============================================================
Title: WordPress XSS and HTML injection
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 12/04/2005
Severity: Medium. users can obtain cookies of other users and defacement website
Affected version: <= 1.5
============================================================

============================================================
*Summary
http://wordpress.org. Wordpress is a popular blogging system built on
PHP (the scripting language) and is licensed under the GPL. It is free
software supported by a large and vibrant community of users. You can
use WordPress as a stand-alone application to publish your web log, or
incorporate its functionality into an existing site.

============================================================
*Problem Description:
Bug is in the content and  title of post, when not controlling the
entrance of  characters, being able to inject HTML code

============================================================
*Example:
Type in the title or content of post

  <script>alert(document.cookie)</script>

  <iframe src=http://othersite/sb.php>

============================================================
*Fix:
  wordpress\wp-includes\template-functions-post.php

function get_the_title($id = 0) {
	.
	.
	.
	return $title;
}

replace for by function

function get_the_title($id = 0) {
	.
	.
	.
	$sb_convert = $output;
	$sb_input =  array("<",">","(",")");
	$sb_output = array("&lt;","&gt;","&#40;","&#41;");
	$output = str_replace($sb_input, $sb_output, $sb_convert);
	return $title;
}


function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
	.
	.
	.
	return $output;
}

replace for by function

function get_the_content($more_link_text = '(more...)', $stripteaser =
0, $more_file = '') {
	.
	.
	.
	$sb_convert = $output;
	$sb_input =  array("<",">","(",")");
	$sb_output = array("&lt;","&gt;","&#40;","&#41;");
	$output = str_replace($sb_input, $sb_output, $sb_convert);
	return $output;
}

============================================================
-- 
 SoulBlack - Security Research
 http://www.soulblack.com.ar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ