-> "WordPress XSS under function wp_title()" <-
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
GET parameter.
ChX Security will not release any proof of concept.
The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug…
http://trac.wordpress.org/changeset/5003
For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.
ChX Security
http://chxsecurity.org/
(c) 2007
–
Copy: http://chxsecurity.org/advisories/adv-1-mid.txt
g30rg3_x