oss-sec mailing list archives

Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator

From: Jeremias Reith <jr () noxss org>
Date: Fri, 28 Nov 2008 23:31:05 +0100

On Nov 28, 2008, at 22:39 , Steffen Joeris wrote:

Hi

a XSS vulnerability has been discovered in WordPress.

Vendor info:
http://wordpress.org/development/2008/11/wordpress-265/

Detailed information:
http://www.securityfocus.com/archive/1/498652 (Note: It should be
"prior to 2.6.5" in the summary)

I might be off here, but doesn't the patch[0] create another XSS byremoving

wp_specialchars?

Cheers
Steffen

[0]:
http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new=



Looks fine to me.

You probably missed that the added clean_url() is applied on theentire URL instead of wp_specialchars() to REQUSET_URI.



Cheers,
Jeremias

Current thread:

CVE requset: WordPress XSS vulnerability in RSS Feed Generator Jeremias Reith (Nov 26)
- Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Steven M. Christey (Nov 28)
- Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Steffen Joeris (Nov 28)
  - Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Jeremias Reith (Nov 28)
    - Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Steffen Joeris (Nov 28)
- Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Steven M. Christey (Nov 28)