Wordpress 2.3: edit-post-rows XSS Vulnerability

Posted by DK
October 29, 2007

Janek Vind "waraxe" released an XSS vulnerability that affects WordPress 2.3 (The latest 2.3.1 is not affected).

The vulnerability can be found in "wp-admin/edit-post-rows.php". The affected code is as follows:

<?php foreach($posts_columns as $column_display_name) { ?>
<th scope="col"><?php echo $column_display_name; ?></th>
<?php } ?>

This vulnerability requires the affected web site to have register_globals enabled in order to set the "posts_columns" variable.

Proof of concept:

http://victim.com/wp-admin/edit-post-rows.php?
       posts_columns[]=<script>alert(1)</script>

This vulnerability should not affect WP <2.3 (checked on 2.2.3)

Please upgrade to WordPress 2.3.1 if you are running WordPress 2.3

Advisories, Alerts, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by Philipp on October 30, 2007 @ 7:56 am

This flaw affects only 2.3, within 2.3.1 it’s fixed and below 2.3 the file wasn’t there. Anyway I’m not sure who discovered that flaw at all asPeter Westwood covered that one already and I didn’t found any Trac entry for that one. Maybe the developer got the attention to it, without any notice.

Comment by David Kierznowski on October 30, 2007 @ 8:18 am

Thanks for the update Phil.

Pingback by BlogSecurity » Blog Archive » WordPress BlogWatch on October 30, 2007 @ 9:56 am

[...] XSS injection in edit-post-rows.php, with register_globals on (More) [...]

Trackback by -=Discobeats=- on October 30, 2007 @ 10:15 am

[WordPress] XSS-Verwundbarkeit in 2.3…

Laut Blog Security existiert eine XSS-Lücke in WordPress 2.3
Diese Lücke betrifft nur Webspaces mit register_global enabled und auch nur die Version 2.3. Die Versionen 2.2.3 oder die aktuelle Version 2.3.1 sind davon nicht betroffen.
Wieder…

Pingback by The OS Quest » Security Quest #8 - Leopard Default Insecurity on October 31, 2007 @ 6:27 am

[...] was a vulnerability announced in Wordpress 2.3. It’s resolved in 2.3.1 and doesn’t appear to exist in earlier [...]

Trackback by SigT on October 31, 2007 @ 3:07 pm

Vulnerabilidad XSS “edit-post-rows” en WordPress 2.3…

Si todavía usáis la versión 2.3 de WordPress toca actualizar a la última 2.3.1 ya que a la lista de fallos que han ido saliendo (uno de los más grave comentado por aquí) acaban de informar de otro fallo XSS.

En esta ocasión se trata de un fallo…

Pingback by Michas Blog | XSS-Sicherheitslücke in Wordpress 2.3 on November 1, 2007 @ 9:48 am

[...] gewagt hat, sollte jetzt das Update auf Version 2.3.1 starten. Dort gibt es ein paar Bugfixes und eine XSS – Lücke die geschlossen wird. Ich hab das Update diese Woche bereits ohne Probleme [...]

Pingback by WordPress 2.3 e suas Falhas de Segurança | Vomicae™ on November 4, 2007 @ 3:04 pm

[...] blogroll spam on Wordpress 2.3 Wordpress 2.3: edit-post-rows XSS Vulnerability Post Relacionados:XHTML Válido para Vídeos: Youtube, Google, MySpace e Metacafe no Wordpress em [...]

Leave a comment

(required)

(required)