WordPress.org

Ready to get started?Download WordPress

Forums

WordPress SEO by Yoast
Security issue with post title field (XSS vulnerability) (3 posts)

  1. badconker
    Member
    Posted 1 year ago #

    (sorry for my english, it's not my native language)

    WordPress version: 3.4.2
    WordPress SEO version: 1.2.8.7

    I did this:
    i filled the field post_title of a page/post/custom_post with "<script>alert('We have a problem');</script>"

    I expected the plugin to do this: nothing in particular

    Instead it did this:
    A popup message "We have a problem".

    On my site, everyone can make a post. This post is then validate by an admin user. So everyone can use the security breach to execute javascript in admin !

    Temporary patch :

    ===================================================================
    --- class-metabox.php	(révision 2)
    +++ class-metabox.php	(révision 3)
    @@ -816,7 +816,7 @@
     			echo '<div title="' . $title . '" alt="' . $title . '" class="wpseo_score_img ' . $score . '"></div>';
     		}
     		if ( $column_name == 'wpseo-title' ) {
    -			echo $this->page_title( $post_id );
    +			echo esc_html($this->page_title( $post_id ));
     		}
     		if ( $column_name == 'wpseo-metadesc' ) {
     			echo wpseo_get_value( 'metadesc', $post_id );
    Index: wp-seo-metabox.js
    ===================================================================
    --- wp-seo-metabox.js	(révision 2)
    +++ wp-seo-metabox.js	(révision 3)
    @@ -46,7 +46,7 @@
     	if ( jQuery("#yoast_wpseo_title").val() ) {
     		var title = jQuery("#yoast_wpseo_title").val();
     	} else {
    -		var title = wpseo_title_template.replace('%%title%%', jQuery('#title').val() );
    +		var title = wpseo_title_template.replace('%%title%%', jQuery('<div/>').text(jQuery('#title').val()).html() );
     	}
     	if ( title == '' ) {
     		jQuery('#wpseosnippet .title').html( '' );

    http://wordpress.org/extend/plugins/wordpress-seo/

  2. Joost de Valk
    Member
    Plugin Author

    Posted 1 year ago #

    This was already patched in 1.3

  3. badconker
    Member
    Posted 1 year ago #

    Hi,

    Thanks for your new version but a have tested again with WordPress 3.5 and wordpress-seo 1.3.3 (and developper version...) it seems to be not resolved at all !! ( specifically in wp-seo-metabox.js)

    Simple test :
    - connect you on admin of your site
    - go to url : [www.yoursite.com]/wp-admin/post-new.php?post_title=<script>alert('There is a problem');</script>
    - The alert message is displaying !

    => CSRF : http://en.wikipedia.org/wiki/Cross-site_request_forgery

    For me, it's a big security issue.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.