WordPress 3.3 Cross-Site Scripting (XSS)

Yesterday two Indian security researchers, Aditya Modha & Samir Shah, released an advisory outlining a Cross-Site Scripting (XSS) vulnerability within the latest version (at the time of writing) of WordPress 3.3. Many people started re-tweeting the news (including myself) and blogging about it. The problem came when I tried to reproduce the vulnerability, I couldn’t.

I started to think that the vulnerability was a miss-understanding or publicity stunt and was getting annoyed at the many people who were spreading miss-information. I contacted the researchers over Twitter and told them that I was unable to reproduce the vulnerability in any browser or on any WordPress installation including vanilla installs.

The researchers got back in touch with a link to a WordPress installation on which the vulnerability worked. The URL they gave me was an IP address. Within their environment the XSS worked.

At this point I think even the researchers were puzzled. They sent me this code that they believed was the function causing the XSS within wp-includes/functions.php http://pastebin.com/iBnpN8Zm.

function wp_guess_url() {
	if ( defined('WP_SITEURL') && '' != WP_SITEURL ) {
		$url = WP_SITEURL;
	} else {
		$schema = is_ssl() ? 'https://' : 'http://';
		$url = preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
	}
	return rtrim($url, '/');
}

The XSS occurs because $_SERVER[‘REQUEST_URI’] (the URI which was given in order to access the page) was used within output before first being sanitized. Or better yet, it shouldn’t have been used at all.

The reason I couldn’t reproduce it or why the researchers couldn’t reproduce outside of their environment? The reason is the ‘else’ never gets triggered when WordPress was installed via a domain.

If you installed WordPress by accessing http://192.168.100.110/, for example, you are vulnerable. If however, like most people, but not all, installed WordPress via the domain name, http://www.ethicalhack3r.co.uk you are not vulnerable.

Quick and easy fix until WordPress release a patch? Put $_SERVER[‘REQUEST_URI’] through esc_html() first, esc_html($_SERVER[‘REQUEST_URI’]).

Example (tested):

wp-includes/functions.php:3756

$url = preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . esc_html($_SERVER['REQUEST_URI']));

UPDATE —

WordPress 3.3.1 has been released that seems to fix the issue.

31 thoughts on “WordPress 3.3 Cross-Site Scripting (XSS)

  1. superevr

    If the WordPress site is running HTTPS, there is a good chance that it can still be accessed by IP address, and vulnerable to this bug.

  2. Pingback: Wordpress 3.3.1 | oziloz

  3. Pingback: [REPOST] Sophos: XSS flaw in WordPress 3.3 – How the smallest things make testing tough | WEBsISC Blagh!

  4. Pingback: Wordpress 3.3 Patched to Fix Cross-Site Scripting Vulnerability | LIVE HACKING

  5. Pingback: XSS flaw in WordPress 3.3 | Cyber Crimes Unit

  6. Pingback: WordPress 3.3.1 XSS Vulnerability Patch and 15 Bugs Fixed

  7. Pingback: WordPress 3.3.1 closes XSS hole | CYBERSEECURE

  8. Pingback: WordPress 3.3.1 closes XSS hole |

  9. Pingback: WordPress 3.3.1 « hep-cat.de

  10. TAPAS

    HI!
    THANKS FOR THIS POST.
    I BEG TO SAY THAT MY 1 WORDPRESS SITE WAS HACK.

    WHEN I VISIT MY SITE IT SHOWN “HACKED BY DR.FOSAL”

    PLZ. SAY ME HOW CAN I REMOVE IT.
    THANK U SO MUCH.
    WAITING FOR RPLY.

  11. ethicalhack3r

    @Phillips321

    It should depend on which you were using when you installed WordPress, the IP address of the domain name.

  12. parsigate

    I have justdPress installation address shouldn’t be the same as the site address.

    and suggest this:
    Moving WP core files to any non-standard folder will make your site less vulnerable to automated attacks. Most scripts that script kiddies use rely on default file paths. If your blog is setup on http://www.site.com you can put WP files in ie: /var/www/vhosts/site.com/www/wp-core/ instead of the obvious /var/www/vhosts/site.com/www/.

    Site and WP address can easily be changed in Options – General. Before doing so please watch this detailed video tutorial which describes what other steps are necessary to move your WP core files to another location.

    do you think it’s really an issue?

  13. Pingback: Upgrade to WordPress 3.3.2 | redcatco blog

  14. Pingback: Upgrading to WordPress 3.3.2 | redcatco blog

  15. Kevin

    I loved as much as you will receive carried out right here.

    The sketch is tasteful, your authored material stylish.
    nonetheless, you command get bought an shakiness over
    that you wish be delivering the following. unwell unquestionably
    come further formerly again as exactly the same nearly very often inside case you shield this
    hike.

  16. https://www.facebook.com/HeroesofAtlanHack

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
    I’ve been looking for a plug-in like this for quite some time and
    was hoping maybe you would have some experience with
    something like this. Please let me know if you run into
    anything. I truly enjoy reading your blog and I look forward to
    your new updates.

  17. dayz free

    Avec notre site web, vous avez la possibilité de obtenir Minecraft 1.7.9 gratuitement.

    C’est la version la plus récente que l’on vous propose.

    Vous pourrez télécharger à haute vitesse grâce à notre
    lien!!

    Look at my weblog: dayz free

  18. anyoption

    Roll forward should only be used in emergencies and with broker permission. You may
    find youself evaluating binary options, digital options and gold options accounts sign up agreements and progressing where
    you get the finest choice. Virtually every bank has a designated
    risk management officer who is charged with developing overall risk management
    policies and procedures and ensuring that they are consistently applied across branches and business lines.

  19. absolute fastest way to make what is earnest money

    If you are a newbie to the world of internet marketing, or affiliate marketing, you
    have to be careful of your approach, as to what direction you choose to take to begin your marketing campaigns.
    However, once you choose to do this, make sure that you
    have the right content and necessary applications to avoid wasting the time of the user.
    Whether you like it or not, the internet is the business
    weapon of today and it could be your best friend, if you treat it right.

  20. Meir Ezra Coaching

    Fantastic goods from you, man. I have understand
    your stuff previous to and you’re just too magnificent. I actually like what you’ve acquired here, really like
    what you’re saying and the way in which you say it. You make it entertaining and you still care for to
    keep it wise. I can not wait to read far more from you.
    This is actually a great web site.

  21. the sukanto tanoto

    You get a chance to touch every task and you slowlpy but surely get everythig done through takingg time oout to
    touch base with every resource. Entrepreneur success comes
    from doing completely different things to what yoou
    normally do, solely then will you expect to induce totally different results.
    In addition, Patrick Mc – Donaagh owns The Claddagh Irish Pubs, a pub chain in the United States.

    Here is myy site; the sukanto tanoto

Comments are closed.