Folks, if you’re using WordPress to run your blogs (we are!), I suggest you go and download the latest version (2.06, which is in development stage as of this writing) or at least install some patches. Recently, a Cross-Site Scripting (XSS) vulnerability has been discovered that could permit malicious code injection into the core files of WordPress blogs.
David Kierznowski writes at Operation N:
When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using open IMG tags; this works under FF and IE.
If that’s Greek to you (it is to me), you can check out Security Focus, which has a description more attuned to layman speak.
WordPress is prone to a HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Tech Buzz lists the vulnerable versions (almost all versions prior to 2.06), and adds,
A Cross-site scripting (XSS) vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.
This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.
The vulnerability is in the templates.php script, and if you would rather not upgrade to the latest WP version yet (because of heavy customizations, incompatible templates, hacks, plugins, etc.), you can work around the problem by either commenting out a line or replacing the file with a patched version.
- Comment out line 72 in /wp-admin/templates.php, which contains update_recently_edited($file);
- Patch templates.php with that from the latest WP version (file can be downloaded here).
And that, folks, is one great thing with open source software. Everyone can pitch in, and if there are vulnerabilities, these are more easily found and resolved, as compared to closed software, which would require a centralized development team to provide fixes.