WordPress XSS under function wp_title()

2007-03-1000:00:00

vulners.com

JSON

ChX Security |
Advisory #1 |

-> "WordPress XSS under function wp_title()" <-

Data |

Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)

Program Description |

WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

Overview |

The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

WorkAround |

$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
GET parameter.

Proof Of Concept|

ChX Security will not release any proof of concept.

Solution/Fix|

The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug…
http://trac.wordpress.org/changeset/5003

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

Dates |

Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007

Shouts |

Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.

        ChX Security
   http://chxsecurity.org/
         &#40;c&#41; 2007

–
Copy: http://chxsecurity.org/advisories/adv-1-mid.txt

         g30rg3_x