[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE requset: WordPress XSS vulnerability in RSS Feed Generator
From:       Steffen Joeris <steffen.joeris () skolelinux ! de>
Date:       2008-11-28 23:48:47
Message-ID: 200811290048.47309.steffen.joeris () skolelinux ! de
[Download RAW message or body]


Hi Jeremias

On Fri, 28 Nov 2008 11:31:05 pm Jeremias Reith wrote:
> On Nov 28, 2008, at 22:39 , Steffen Joeris wrote:
> > Hi
> >
> >> a XSS vulnerability has been discovered in WordPress.
> >>
> >> Vendor info:
> >> http://wordpress.org/development/2008/11/wordpress-265/
> >>
> >> Detailed information:
> >> http://www.securityfocus.com/archive/1/498652 (Note: It should be
> >> "prior to 2.6.5" in the summary)
> >
> > I might be off here, but doesn't the patch[0] create another XSS by
> > removing
> > wp_specialchars?
> >
> > Cheers
> > Steffen
> >
> > [0]:
> > http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=t
> >ags%2F2.6.5&new=
>
> Looks fine to me.
>
> You probably missed that the added clean_url() is applied on the
> entire URL instead of wp_specialchars() to REQUSET_URI.
Yeah you're right and it appears that clean_url takes care of all the bad 
characters. However, I am still wondering why upstream doesn't use 
htmlspecialchars(). :)

Cheers
Steffen

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]