Author : Darshit Ashara
Date   : 21/08/2011
Vendor : WordPress
Version: 3.2.1
WordPress核心模块不正确的代码(post-template.php)
导致跨站点脚本。
笔者可以简单地更新
view plaincopy to clipboardprint?
</a><script>alert('1');</script><a>  
</a><script>alert('1');</script><a>
都会给给索引页和后页的造成影响。
漏洞已经通知官方
下面是临时修补方法:

view plaincopy to clipboardprint?
   
/*This will page XSS in Index Page*/ 
Vulnerable Code Part 1  
function the_title($before = '', $after = '', $echo = true) {  
  $title = get_the_title();  
 
  if ( strlen($title) == 0 )  
    return;  
 
  $title = $before . $title . $after;  
 
  if ( $echo )  
    echo htmlentities($title); /* Line No 52 Patch*/ 
  else 
    return htmlentities($title); /* Line No 54 Patch*/ 
}  
 
 
Vulnerable Code Part 2  
function the_title_attribute( $args = '' ) {  
  $title = get_the_title();  
 
  if ( strlen($title) == 0 )  
    return;  
 
  $defaults = array('before' => '', 'after' =>  '', 'echo' => true);  
  $r = wp_parse_args($args, $defaults);  
  extract( $r, EXTR_SKIP );  
 
 
  $title = $before . $title . $after;  
  $title = esc_attr(strip_tags($title));  
 
  if ( $echo )  
    echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/ 
  else 
    return htmlentities($title); /* Line No 89 Patch*/ 
}  
 
/*This will Patch XSS in Post page*/ 
 
Vulnerable Code Part 3  
function get_the_title( $id = 0 ) {  
  $post = &get_post($id);  
 
  $title = isset($post->post_title) ? $post->post_title : '';  
  $id = isset($post->ID) ? $post->ID : (int) $id;  
 
  if ( !is_admin() ) {  
    if ( !emptyempty($post->post_password) ) {  
      $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));  
      $title = sprintf($protected_title_format, $title);  
    } else if ( isset($post->post_status) && 'private' == $post->post_status ) {  
      $private_title_format = apply_filters('private_title_format', __('Private: %s'));  
      $title = sprintf($private_title_format, $title);  
    }  
  }  
  return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/ 
}  
 
/*This will page XSS in Index Page*/
Vulnerable Code Part 1
function the_title($before = '', $after = '', $echo = true) {
  $title = get_the_title();

  if ( strlen($title) == 0 )
    return;

  $title = $before . $title . $after;

  if ( $echo )
    echo htmlentities($title); /* Line No 52 Patch*/
  else
    return htmlentities($title); /* Line No 54 Patch*/
}
Vulnerable Code Part 2
function the_title_attribute( $args = '' ) {
  $title = get_the_title();

  if ( strlen($title) == 0 )
    return;

  $defaults = array('before' => '', 'after' =>  '', 'echo' => true);
  $r = wp_parse_args($args, $defaults);
  extract( $r, EXTR_SKIP );
  $title = $before . $title . $after;
  $title = esc_attr(strip_tags($title));

  if ( $echo )
    echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
  else
    return htmlentities($title); /* Line No 89 Patch*/
}

/*This will Patch XSS in Post page*/

Vulnerable Code Part 3
function get_the_title( $id = 0 ) {
  $post = &get_post($id);

  $title = isset($post->post_title) ? $post->post_title : '';
  $id = isset($post->ID) ? $post->ID : (int) $id;

  if ( !is_admin() ) {
    if ( !empty($post->post_password) ) {
      $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
      $title = sprintf($protected_title_format, $title);
    } else if ( isset($post->post_status) && 'private' == $post->post_status ) {
      $private_title_format = apply_filters('private_title_format', __('Private: %s'));
      $title = sprintf($private_title_format, $title);
    }
  }
  return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/
}

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/859.html