WordPress ’wp-includes/general-template.php‘ WP_Title函数跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191089 漏洞类型 跨站脚本
发布时间 2007-03-09 更新时间 2007-05-02
CVE编号 CVE-2007-1894 CNNVD-ID CNNVD-200704-106
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/22902
https://cxsecurity.com/issue/WLB-2007040033
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-106
|漏洞详情
WordPress是一套用于艺术类的Web出版发布系统。WordPress的wp-includes/general-template.php中存在跨站脚本攻击漏洞。远程攻击者可以借助wp_title函数中的年参数,注入任意的web脚本或HTML。
|漏洞EXP
_____________
ChX Security |
Advisory #1  |
=============

->    "WordPress XSS under function wp_title()"    <-

______
 Data |
======
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
 -> Series 2.0.x: <= 2.0.10-alpha
 -> Series 2.1.x: <= 2.1.3-alpha
 -> Series SVN latest: <= 2.2-bleeding (Revision 5002)

____________________
Program Description |
====================
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

_________
Overview |
=========
The query variable "year" inside the function "wp_title", its not sanitized
so it allows a non persistent cross site scripting attack.

___________
WorkAround |
===========
$title takes the value in raw (without any type of filter) of $year which is an
a query variable, that can be filled with any web browser via a simply
GET parameter.

________________
Proof Of Concept|
================
ChX Security will not release any proof of concept.

____________
Solution/Fix|
============
The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug...
http://trac.wordpress.org/changeset/5003

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

______
Dates |
======
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
_______
Shouts |
=======
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white hats.
White Hat Powa.

ChX Security
       http://chxsecurity.org/
             (c) 2007

-- 
Copy: http://chxsecurity.org/advisories/adv-1-mid.txt
_________________________
             g30rg3_x
|受影响的产品
WordPress WordPress 2.1.2 WordPress WordPress 2.1.1 WordPress WordPress 2.0.7 WordPress WordPress 2.0.6 WordPress WordPress 2.0.5 WordPress WordPress 2.0.4
|参考资料

来源:BID
名称:22902
链接:http://www.securityfocus.com/bid/22902
来源:SECUNIA
名称:24485
链接:http://secunia.com/advisories/24485
来源:BUGTRAQ
名称:20070309WordPressXSSunderfunctionwp_title()
链接:http://www.securityfocus.com/archive/1/archive/1/462374/100/0/threaded
来源:trac.wordpress.org
链接:http://trac.wordpress.org/ticket/4093
来源:trac.wordpress.org
链接:http://trac.wordpress.org/changeset/5003
来源:MISC
链接:http://chxsecurity.org/advisories/adv-1-mid.txt
来源:DEBIAN
名称:DSA-1285
链接:http://www.debian.org/security/2007/dsa-1285
来源:SREASON
名称:2526
链接:http://securityreason.com/securityalert/2526
来源:SECUNIA
名称:25108
链接:http://secunia.com/advisories/25108