XSS in wp_nonce_ays

[xknown]

There's a small XSS vulnerability in wp_nonce_ays that requires user intervention, attribute_escape is useless when _wp_http_referer contains something like javascript:alert("XSS").

PoC (click "No"):
​http://wp/wp-admin/plugins.php?action=activate&plugin=akismet/akismet.php&_wp_http_referer=javascript:alert(%22XSS%22)

[xknown]

Proposed fix

[ryan]

Use clean_url where approproate. Admin files A - L.

[markjaquith]

trunk/wp-admin/ (m-z)

[markjaquith]

trunk/wp-includes/ (m-z)

[ryan]

clean_url() for wp-includes A - L

[Nazgul]

The given PoC didn't work for me out of the box, but with some fiddling I got it to work.

2.0.x, 2.1.x and trunk are all vulnerable.

The given patch takes the sting out of the attack on my tests.

Also please note that the attached patch was made from the wp-includes directory and not from the root.

[Nazgul]

Guess I was typing too slow. :)

[markjaquith]

trunk/

[ryan]

We're using clean_url instead of attribute_escape for content that goes in an href or src.

[markjaquith]

branches/2.1/ patch

[markjaquith]

(In [5056]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

[markjaquith]

(In [5057]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

[markjaquith]

branches/2.0/ patch

[markjaquith]

(In [5058]) use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.