Persistent XSS in WordPress
During brief source code audit of Wordpress - one of the most popular opensource blogging software - we found 2 persistent XSS flaws.
Proof of Concept (IE7)
entering in a comment field the following string: :
aaa@"STYLE="behavior:url('#default#time2')"onBegin="alert('XSS')"
Activation takes place after reading the comment by a blog user.
Moreover, activation occurs also in administration section (sample attack impacts: session takeover, CSRF).
Another flaw is similar:
javascript://%0a%0dalert%281%29
Activation - after clicking the link.
I'd like to remind, that persistent XSS-es are quite dangerous (attack against a victim activates during normal navigation through the portal).
Details
The problems were spotted in the following file:
wp-includes/formatting.php, to be more specific: in function make_clicable().
the regexps are too lax to prevent injections (see lines: 6 and 8)
1. function make_clickable($ret) {
2. $ret = ' ' . $ret;
3. // in testing, using arrays here was found to be faster
4. $ret = preg_replace(
5. array(
6. '#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
7. '#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
8. '#([\s>])([a-z0-9\-_.]+)@([^,< \n\r]+)#i'),
9. array(
10. '$1<a href="$2" rel="nofollow">$2</a>',
11. '$1<a href="http://$2" rel="nofollow">$2</a>',
12. '$1<a href="mailto:$2@$3">$2@$3</a>'),$ret);
13. // this one is not in an array because we need it to run last, for cleanup of accidental links within links
14.
$ret = preg_replace("#(<a( [^>]+?>|>))<a
[^>]+?>([^>]+?)</a></a>#i", "$1$3</a>",
$ret);
15. $ret = trim($ret);
16. return $ret;
17.}
Vulnerable versions of wordpress
2.3.1, probably also lower versions.
Kroki zaradcze
Vendor was informed and released 2.3.2 version of the software, which contains a patch fixing the vulnerability.
We recommend upgrading to the newest version of WordPress.
