Greenguy's Board - Wordpress 3.0.4 XSS critical update

Greenguy's Board (http://www.greenguysboard.com/board/index.php)

- General Business Knowledge (http://www.greenguysboard.com/board/forumdisplay.php?f=10)

- - Wordpress 3.0.4 XSS critical update (http://www.greenguysboard.com/board/showthread.php?t=60138)

cd34	2010-12-29 05:29 PM

Wordpress 3.0.4 XSS critical update

http://wordpress.org/news/2010/12/3-0-4-update/

Quote:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.

Bill	2010-12-29 05:40 PM

Do you have a sense of what the vulnerability is? Have you seen or heard of anything exploited yet?

cd34	2010-12-29 05:48 PM

I haven't pulled down 3.0.3 and 3.0.4 yet to see what they changed. I've never understood why anyone tries to clean up data... if it doesn't match your validation, it should be declined.

I suspect the error might be in the commenting or post section as that is the only place that library seems to be called - so, if your blog doesn't have comments, it may not be vulnerable. However, it could be in the user's bio field, and an admin that views a users profile could leak the admin cookie. I'll take a look later, just seemed prudent to let people know earlier rather than later. :)

ponyman

2010-12-29 06:00 PM

Good info. Thanks for the heads up! Updating my WP sites now...

cd34	2010-12-29 07:17 PM

changeset

http://core.trac.wordpress.org/chang...2/branches/3.0

basically, anywhere someone can enter input that might contain html.. comments, bio, posts, etc. can be exploited.

Bill	2010-12-29 07:35 PM

Damn, you gotta be some sort of frikking genius or savant to understand that page.

But sounds fucked up.

What happens if you have comments set to approve only? Does the exploit still get you?

Ms Naughty

2010-12-29 08:05 PM

Would this exploit apply to older versions of WP?

cd34	2010-12-29 08:26 PM

I believe based on what they changed, that almost every version of wordpress is vulnerable. KSES was their 'end-all be-all' solution to html sanitization, and, it has a pretty big hole. Any place you can enter text, that could potentially include html, would be possible to exploit.

While