您当前位置: 首页 » 未分类 » WordPress <=4.2.1 存储型 xss

WordPress <=4.2.1 存储型 xss

2015年5月8日 |

We noticed that the latest patch of WordPress (4.2.1) which fixed XSS vul can be bypassed. Details as follows.

The code in wp-includes\wp-db.php, function get_col_length added a check of submitted comment length vs limitation of data type.

protected function process_field_lengths( $data, $table ) {
foreach ( $data as $field =&gt; $value ) {
if ( '%d' === $value['format'] || '%f' === $value['format'] ) {
// We can skip this field if we know it isn't a string.
// This checks %d/%f versus ! %s because it's sprintf() could take more.
$value['length'] = false;
} else {
$value['length'] = $this-&gt;get_col_length( $table, $field );
if ( is_wp_error( $value['length'] ) ) {
return false;
}
}
<span style="color: #ff0000;">if ( false !== $value['length'] &amp;&amp; mb_strlen( $value['value'] ) &gt; $value['length'] ) {</span>
return false;
}
$data[ $field ] = $value;
}
return $data;
}

The, value of “$value['length']” and “mb_strlen( $value['value'] )” were compared. “$value['length']” comes from the function “get_col_length” and “mb_strlen( $value['value'] )” is the return values of function “mb_strlen”. The units of two measurement results are different, one is the count of characters, the other is the number of bytes.

wp2

In the function “mb_strlen”, A multi-byte character is counted as 1.But in different encoding, the size of a character can be a number of bytes (For example multi-byte characters). So we can create a character string, let the number of characters in a string is less than 65535 and the number of the bytes is larger than 65535.
So the character string can meet the conditions:

if ( false !== $value['length'] &amp;&amp; mb_strlen( $value['value'] ) &gt; $value['length'] ) {
return false;
}

 

Then insert data into the database by PHP, the length of the character string is larger than the upper limit of the length of text type in MYSQL (65535 bytes), so the character string will be truncated, This leads to the old XSS vulnerabilities can be used again.

Copy all of the characters in the “poc.txt” and submit to WordPress comments in the IE browser, as shown below.

wp21

分类:

未分类

| 标签:

评论关闭。