Now Reading
WordPress Cross Site Scripting Vulnerability in templates.php Uncovered

WordPress Cross Site Scripting Vulnerability in templates.php Uncovered

Folks, if you’re using WordPress to run your blogs (we are!), I suggest you go and download the latest version (2.06, which is in development stage as of this writing) or at least install some patches. Recently, a Cross-Site Scripting (XSS) vulnerability has been discovered that could permit malicious code injection into the core files of WordPress blogs.


David Kierznowski writes at Operation N:

When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using open IMG tags; this works under FF and IE.

If that’s Greek to you (it is to me), you can check out Security Focus, which has a description more attuned to layman speak.

WordPress is prone to a HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Tech Buzz lists the vulnerable versions (almost all versions prior to 2.06), and adds,

A Cross-site scripting (XSS) vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.

See Also
Mobile Report Tools

This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.

The vulnerability is in the templates.php script, and if you would rather not upgrade to the latest WP version yet (because of heavy customizations, incompatible templates, hacks, plugins, etc.), you can work around the problem by either commenting out a line or replacing the file with a patched version.

  • Comment out line 72 in /wp-admin/templates.php, which contains update_recently_edited($file);
  • Patch templates.php with that from the latest WP version (file can be downloaded here).

And that, folks, is one great thing with open source software. Everyone can pitch in, and if there are vulnerabilities, these are more easily found and resolved, as compared to closed software, which would require a centralized development team to provide fixes.

[via Stellify]
View Comments (26)
  • I don’t speak Greek :) I was trying to demonstrate the attack vector which required some tech jargon; apologies if there was to much, I’ll keep this in mind next time.

  • I started reading The Blog Herald before I ever started my own blog. As time went on I found I wasn’t really happy with the tone being set.

    I have to say the “new” Blog Herald is a big change. The articles are useful, original, and enjoyable to read. It’s obvious you guys aren’t just rehashing a bunch of stuff from other blogs.

    This isn’t a dig at Matt in any way. I like him a lot and his writing. He gave me one of the first links to my blog.

    Thanks for the heads up on WordPress.

  • David,

    We all speak Greek (or Geek?) every once in a while. I have a few friends who remind me of that often. Thanks for warning everyone with that WP vulnerability. I’ve a lot of blogs to fix!

    Big Roy,

    Thanks for the vote of confidence. We’re hoping people would notice the change.

  • It’s a shame BH couldn’t have acted more responsibly and waited for 2.0.6 to be released before announcing an XSS flaw to the blogging world that predominantly uses WordPress. Sometimes the “scoop” isn’t the wisest choice.

  • Aaron,

    It wasn’t a scoop–the news would’ve spread even without us posting about it, so I thought it best to post this as a warning. Patching WP to fix bugs would always be a good idea.

  • It was released before WP 2.0.6. As it happens, I knew about one of the flaws weeks ago but you didn ‘t see me post anything on it, did you? The reality is thousands of people use WordPRess and all you can offer them for your hand flailing is a beta version of WordPress 2.0.6.

    I think it’s wiser for you to study up on how to handle these issues in the future. It makes you a better citizen. My flailing trust in BH has slipped further due to your demonstrated irresponsibility.

  • Hello Aaron,

    It wasn’t as if we were the ones who first discovered the vulnerability prior to v2.0.6, so it wasn’t a “scoop” for us. If you read the post again, you will notice several links to the original sites which cited the problem.

    Our intention is to inform and warn people of such vulnerabilities and help them find ways to fix it. Our motive was clear. If you didn’t see the good intention, some other readers & WP users might. While you look at it as irresponsible, some of us look at it as cautiously responsible. We’ll just have to settle with the fact that we can’t really please everybody with what we deliver to our readers.

  • I think what Aaron was commenting on was the usual way of dealing with vulnerabilities and exploits to minimize the chance of publicizing the vulnerabilities to hackers.

    However, without speaking too much for Angelo, I think I’ll agree with Abe here — the intention was never to do the wrong thing in pursuit of the scoop.

    If this security publishing faux pas has changed your opinion about the BlogHerald, I’m sorry for that — but I think our new columnists are doing their damndest to try and make it better.

    And hopefully in the New Year we can make you a believer too. ;)

    Cheers,
    Tony.

  • For the record, it’s considered irresponsible in security circles to publish or publicize bugs where the software’s creators are currently working actively on a patch (and when the patch is only days away).

    Sure, the Blog Herald didn’t publish the details initially, but they still broadened interest in it needlessly. It’s not a public service if there isn’t anything appropriate the public can do to protect themselves.

  • Jeremy- I think that this is understood now and the way you put it here is fine. One lives and learns by one’s mistakes.

    What I don’t get, however, is the way that such feedback is delivered by Aaron Brazell- who is essentially enflaming a story that he himself claims should not be for public consumption, both here and on his own blog.

    Wouldn’t the best way for him to have handled things, given the correct protocol, been to have privately contacted BH editorial staff and asked that the post be taken down? I am sure that he would have received a positive response.

    In the end of the day, I would hope that we’re all pretty much on the same side.

  • Let me put the record straight:

    1. A patch was provided with the original advisory. Therefore, not only was a problem advertised but a solution provided. So who is being irresponsible? The one not spreading the word or the one pointing out the problem and offering a solution.

    2. There is much debate (still) over what is responsible and what is irresponsible with how one releases security holes. In this case a fix was provided with the problem, not to mention WordPress had an overnight patch.

    3. If it is irresponsible for the security community to publish holes, is it not also irresponsible for the software vendor who is releasing a package to the public that has not been sufficiently tested?

    4. Who says attackers didn’t already know about the vulnerability?

    Nuff said.

  • Mark: I said nothing about the story until after WordPress 2.0.6 was officially released. That is, not a beta version, but the offiicial version. I didn’t even say anything on Blog Herald. Granted, I didn’t see it here until after 2.0.6 was released or I probably would have said something privately.

    David:

    1. Blog Herald is not the sole irresponsible party here. But they are the one with the biggest bullhorn. The original posters that were quoted also bear responsiblity. And what about the people who don’t read BH that use WordPress. Are they responsible finding out about the “patch” provided here and implementing it for themselves?

    2. Where is this debate? It seems the only debate is between black hat and white hat hackers. Do you subscribe to Bugtraq? Do you see the thousands of bug reports that are reported every month?

    As for WordPress’ fix, yeah – they rushed 2.0.6 out the door because of stuff like this being public and in the process broke something else because it was a rush job. Now they have to look at 2.0.7 to fix that. Come on, don’t give me what is responsible and what is not.

    3. See #2.

    4. No one but now hackers know and the rest of the world knows.

  • If we’re talking about estimations lowering and being cemented then I’m finding one right now. There’s a certain tone coming from some that takes an otherwise useful message and turns it into “Listen to me. I’m a coder. I’m wonderful. I’m right”. Maybe that’s what some networks do to people, but it’s a shame to see how the person I thought I was getting to know last year (before they switched networks) has gone all corporate and UTOA.

    Still, it doesn’t matter much as I guess they won’t be reading BH for much longer.

Scroll To Top