oss-security - Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Sat, 29 Nov 2008 00:48:47 +0100
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: Jeremias Reith <jr@...ss.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator

Hi Jeremias

On Fri, 28 Nov 2008 11:31:05 pm Jeremias Reith wrote:
> On Nov 28, 2008, at 22:39 , Steffen Joeris wrote:
> > Hi
> >
> >> a XSS vulnerability has been discovered in WordPress.
> >>
> >> Vendor info:
> >> http://wordpress.org/development/2008/11/wordpress-265/
> >>
> >> Detailed information:
> >> http://www.securityfocus.com/archive/1/498652 (Note: It should be
> >> "prior to 2.6.5" in the summary)
> >
> > I might be off here, but doesn't the patch[0] create another XSS by
> > removing
> > wp_specialchars?
> >
> > Cheers
> > Steffen
> >
> > [0]:
> > http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=t
> >ags%2F2.6.5&new=
>
> Looks fine to me.
>
> You probably missed that the added clean_url() is applied on the
> entire URL instead of wp_specialchars() to REQUSET_URI.
Yeah you're right and it appears that clean_url takes care of all the bad 
characters. However, I am still wondering why upstream doesn't use 
htmlspecialchars(). :)

Cheers
Steffen

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.