A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog. The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.
The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:
A patch may look something like the following:
/*Security Patch added by the xxxx by xxxx http://...*/$style = preg_replace('/[^A-Za-z]/', '', $style);/* end of patch */
In this example, the patch adds a sanity check for the stylevariable, used in upload.php. This is the same vulnerability that isused to modify WordPress in the first place.
Though the author’s goal is honorable, the code used to patch thethree aforementioned files seems to be buggy itself. The files modifiedare, in fact, fully overwritten. In doing that, the author forgot toencode the ‘+’ letter, which gets interpreted as a space by thebrowser. This means that all instances of the ‘+’ character in thethree files are replaced by spaces. One bug is then introduced inlink-import.php, where ‘$i++’ gets replaced by ‘$i ’ in a loop. I’lllet you draw the consequences... a bug affecting a regular expressionfilter would also affect options.php.