WordPress XSS under function wp_title()
- From: g30rg3_x <g30rg3x@xxxxxxxxx>
- Date: Fri, 9 Mar 2007 16:16:25 -0600
ChX Security |
Advisory #1 |
-> "WordPress XSS under function wp_title()" <-
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)
Program Description |
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
Proof Of Concept|
ChX Security will not release any proof of concept.
The lastest SVN Revision (greater than revision 5002) has alredy fixed
For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.
- Prev by Date: Re: Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
- Next by Date: Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)
- Previous by thread: [ MDKSA-2007:060 ] - Updated kernel packages fix multiple vulnerabilities and bugs
- Next by thread: Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)