Author : Darshit Ashara Date : 21/08/2011 Vendor : Wordpress Version: 3.2.1
WordPress核心模块不正确的代码(post-template.php) 导致跨站点脚本。 笔者可以简单地更新 view plaincopy to clipboardprint? </a><script>alert('1');</script><a> </a><script>alert('1');</script><a> 都会给给索引页和后页的造成影响。 漏洞已经通知官方 下面 HdhCmsTest2cto测试数据 是临时修补方法: view plaincopy to clipboardprint? /*This will page XSS in Index Page*/ Vulnerable Code Part 1 function the_title($before = '', $after = '', $echo = true) { $title = get_the_title(); if ( strlen($title) == 0 ) return; $title = $before . $title . $after; if ( $echo ) echo html entities($title); /* Line No 52 Patch*/ else return htmlentities($title); /* Line No 54 Patch*/ } Vulnerable Code Part 2 function the_title_attribute( $args = '' ) { $title = get_the_title(); if ( strlen($title) == 0 ) return; $defaults = array('before' => '', 'after' => '', 'echo' => true); $r = wp_parse_args($args, $defaults); extract( $r, EXTR_SKIP ); $title = $before . $title . $after; $title = esc_attr(strip_tags($title)); if ( $echo ) echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/ else return htmlentities($title); /* Line No 89 Patch*/ } /*This will Patch XSS in Post page*/ Vulnerable Code Part 3 function get_the_title( $id = 0 ) { $post = &get_post($id); $title = isset($post->post_title) ? $post->post_title : ''; $id = isset($post->ID) ? $post->ID : (int) $id; if ( !is_admin() ) { if ( !emptyempty($post->post_password) ) { $protected_title_format = apply_filters('protected_title_format', __('Protected: %s')); $title = sprintf($protected_title_format, $title); } else if ( isset($post->post_status) && 'private' == $post->post_status ) { $private_title_format = apply_filters('private_title_format', __('Private: %s')); $title = sprintf($private_title_format, $title); } } return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/ } /*This will page XSS in Index Page*/ Vulnerable Code Part 1 function the_title($before = '', $after = '', $echo = true) { $title = get_the_title();
if ( strlen($title) == 0 ) return;
$title = $before . $title . $after;
if ( $echo ) echo htmlentities($title); /* Line No 52 Patch*/ else return htmlentities($title); /* Line No 54 Patch*/ }
Vulnerable Code Part 2 function the_title_attribute( $args = '' ) { $title = get_the_title();
if ( strlen($title) == 0 ) return;
$defaults = array('before' => '', 'after' => '', 'echo' => true); $r = wp_parse_args($args, $defaults); extract( $r, EXTR_SKIP );
$title = $before . $title . $after; $title = esc_attr(strip_tags($title));
if ( $echo ) echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/ else return htmlentities($title); /* Line No 89 Patch*/ }
/*This will Patch XSS in Post page*/
Vulnerable Code Part 3 function get_the_title( $id = 0 ) { $post = &get_post($id);
$title = isset($post->post_title) ? $post->post_title : ''; $id = isset($post->ID) ? $post->ID : (int) $id;
if ( !is_admin() ) { if ( !empty($post->post_password) ) { $protected_title_format = apply_filters('protected_title_format', __('Protected: %s')); $title = sprintf($protected_title_format, $title); } else if ( isset($post->post_status) && 'private' == $post->post_status ) { $private_title_format = apply_filters('private_title_format', __('Private: %s')); $title = sprintf($private_title_format, $title); } } return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/ }
来源:落叶's Blog
查看更多关于WordPress的3.2.1核心模块post-template.php XSS漏洞及修复的详细内容...