Wordpress 3.0.4 XSS critical update

cd34 · 2010-12-29, 08:26 PM

I believe based on what they changed, that almost every version of wordpress is vulnerable. KSES was their 'end-all be-all' solution to html sanitization, and, it has a pretty big hole. Any place you can enter text, that could potentially include html, would be possible to exploit.

While <script> was filtered out correctly, it appears that <SCRIPT> was not.

If the comment is set to approve only, it is possible that a script could be written that could expose your auth information - not the password, but the auth token. A savvy enough person could use that to get into wordpress. Alternatively they could do an iframe exploit that could expose you to malicious content just by viewing the content.

I'm not entirely sure where they use KSES for sanitization, but, it looks like almost every input calls it.

Not really a thrilling thought.

2010-12-29, 08:26 PM	#8
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	I believe based on what they changed, that almost every version of wordpress is vulnerable. KSES was their 'end-all be-all' solution to html sanitization, and, it has a pretty big hole. Any place you can enter text, that could potentially include html, would be possible to exploit. While <script> was filtered out correctly, it appears that <SCRIPT> was not. If the comment is set to approve only, it is possible that a script could be written that could expose your auth information - not the password, but the auth token. A savvy enough person could use that to get into wordpress. Alternatively they could do an iframe exploit that could expose you to malicious content just by viewing the content. I'm not entirely sure where they use KSES for sanitization, but, it looks like almost every input calls it. Not really a thrilling thought. __________________ SnapReplay.com a different way to share photos - iPhone & Android