Security isue

  • Is anyone in development aware of, or has anyone addressed the security vuln which was released yesterday? I’ll post the content here, as it also includes the fix. I am about to embark on the fix, but I didn’t see anything here about this being addressed, so here it is:

    ============================================================
    Title: WordPress XSS and HTML injection
    Vulnerability discovery: SoulBlack – Security Research –
    https://soulblack.com.ar
    Date: 12/04/2005
    Severity: Medium. users can obtain cookies of other users and defacement website
    Affected version: <= 1.5
    ============================================================

    ============================================================
    *Summary
    https://www.ads-software.com. WordPress is a popular blogging system built on
    PHP (the scripting language) and is licensed under the GPL. It is free
    software supported by a large and vibrant community of users. You can
    use WordPress as a stand-alone application to publish your web log, or
    incorporate its functionality into an existing site.

    ============================================================
    *Problem Description:
    Bug is in the content and title of post, when not controlling the
    entrance of characters, being able to inject HTML code

    ============================================================
    *Example:
    Type in the title or content of post

    <script>alert(document.cookie)</script>

    <iframe src=https://othersite/sb.php>

    ============================================================
    *Fix:
    wordpress\wp-includes\template-functions-post.php

    function get_the_title($id = 0) {
    .
    .
    .
    return $title;
    }

    replace for by function

    function get_the_title($id = 0) {
    .
    .
    .
    $sb_convert = $output;
    $sb_input = array(“<“,”>”,”(“,”)”);
    $sb_output = array(“<“,”>”,”(”,”)”);
    $output = str_replace($sb_input, $sb_output, $sb_convert);
    return $title;
    }

    function get_the_content($more_link_text = ‘(more…)’, $stripteaser =
    0, $more_file = ”) {
    .
    .
    .
    return $output;
    }

    replace for by function

    function get_the_content($more_link_text = ‘(more…)’, $stripteaser =
    0, $more_file = ”) {
    .
    .
    .
    $sb_convert = $output;
    $sb_input = array(“<“,”>”,”(“,”)”);
    $sb_output = array(“<“,”>”,”(”,”)”);
    $output = str_replace($sb_input, $sb_output, $sb_convert);
    return $output;
    }

    ============================================================

Viewing 9 replies - 1 through 9 (of 9 total)

  • Interesting.

    One thing that I dont like is that is NOT mentioned on https://www.securiteam.com/ or any other related web site that ive checked.

    The other thing I dont like is that I am not able to follow exactly how theyre calling the exploit. I understand what they have said, but cannot recreate it. Therefore, since it is not mentioned anywhere else, Im hesitant to change a file since perhaps I am introducing a problem. Especially, when the fix is coming from THEM and not someone here.

    Just my .02 and I will be waiting for any other responses.

    Edit : Actually I just realized that unless im mis-reading that completely thats only exploitable via posting? (I checked comments btw, good thing must ppl dont allow <script> tags) I was in fact, able to snag a cookie with their example.

    Which makes it somewhat less sketchy than on first glance.

    Moderator James Huff

    (@macmanx)

    Thank you for spreading the fear. From now on, DO NOT post security vulnerabilities on public forums. If you want to submit a bug, see: https://codex.www.ads-software.com/Submitting_Bugs

    Maybe there needs to be a ‘security list’ that select people can subscribe to? For those of us doing extensive hacking and plugins and such, would be nice if the devs would share the ‘problems’ and the ‘solutions’ with a larger audience.

    And security vulnerabilities are already getting posted in public forums, why wouldn’t we want people to know? I mean, make a ‘Security’ section on the site here that DOESN’T show up in the normal front-page master list, so the average joe doesn’t freak, but the rest of us have a forum to discuss stuff.

    I find that too much is being pushed to bug dbs and email lists, where the primary devs might be able to track easily, but for the rest of us it’s a signal-to-noise problem… ??

    -d

    Moderator James Huff

    (@macmanx)

    Because it was a problem last time. The security issue poster did not notify the developers and only posted the issue on the forums. As a result, the developers had no clue about the issue and exploits of the vulnerability spread like wildfire.

    In my opinion, this isn’t as much of a threat to WordPress as it seems.

    In essence, the ‘exploit’ is that a registered user with posting permission can include any HTML, including javascript or an iframe, in a post title or a post body. This javascript would then be executed or the iframe be visible in any readers browser!

    That’s right. It’s a blogging system. It’s a simplified CMS. It would be a pretty poor one without HTML.

    In other words if you trust someone, including yourself, to post stories on your blog then you have to trust that they won’t do anything naughty!

    I don’t see that that is any different from any situation where you allow someone trusted to put content on your site.

    Maybe someone could produce a plug-in that disables all html for use on a multi author site where you don’t trust the authors! Perhaps you might want to only allow them to use Textile or Markdown, though neither cover all that you might want to do in a post.
    Anyway, the above code is simplistic and inappropriate. There are better ways of sanitizing text. Take a look at the use of the kses filter.

    Thanks Mike !

    ” There are better ways of sanitizing text. Take a look at the use of the kses filter.”

    I’d emphasize that point, over and over again. If one is truly concerned over this “exploit”, add a couple filters on post title and content. Problem solved.

    Excellent post, Mike.

    Thread Starter thebleedingedge

    (@thebleedingedge)

    macmanx: Nobody’s “spreading fear”, and clearly that wasn’t my intention. Obviously I’m concerned about the security of any software I’m using, as should anyone else be. I’m not reponsible for this person releasing his code into many public forums. I received this information on an easily accessible and very popular security mailing list. Any nefarious “hacker” already has this information, and I obviously have an interest in ensuring that developers here do to. Since it includes CODE WHICH CAN FIX THE PROBLEM, it makes sense to deliver it to those who can do something about it. There’s no link on “www.ads-software.com” to the link you suggest, so perhaps instead of chastising me for “spreading fear”, you should make available a proper and clearly defined mechanism for submitting security vulnerabilities.

    Sorry you’re upset about it and implicating ME as one who “spreads fear”. When there’s an exploit already available in the wild, the fear is justified. I asked a question, provided the data, and don’t need to be “scolded” for it, but thanks just the same.

    Moderator James Huff

    (@macmanx)

    My apologies, this is just a pet-peeve of mine.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Security isue’ is closed to new replies.