Is This a Security Issue?

More interesting results from yesterday’s experiments with dumping some markup in the title of a post and seeing what breaks. I noticed the markup made its way into the WordPress Admin section. Is that just because the markup I used (strong and span tags) was relatively innocuous or is there a potentially deeper problem? Let’s find out.

It’s not a big problem for this site, because I’m both the sole author and administrator, but it could be a problem on a site where author and administrator privileges are separated.

Yep, it’s a bug all right, at least in this version of WordPress. I haven’t tested it in the latest and greatest yet. (Update: several other people have now tested and verified the presence of the bug in the latest versions.) Links in titles can break the Posts box of the WordPress admin panel so it points to something other than the site it’s supposed to. I suspect this is a security hole too, though doubtless the WordPress folks will deny this. (They’re in denial about a lot of architectural flaws.) Still, I should be able to get them to fix this on non-security grounds so that doesn’t matter a great deal here.

However, now I start wondering if I can use this to inject JavaScript into the admin page? Hmm…

One Response to “Is This a Security Issue?

  1. James Orenchak, CISSP Says:

    Hi,

    I’ve never used WordPress, but I’d bet you a case of beer that a hacker would be able to use the bug you mentioned, placing markup in the title of a post, to inject JavaScript or commands in some other format into the admin page. The application has probably never undergone a security assessment. A good security assessment done sometime in the development phase, would have detected this bug. Too bad security assessments aren’t always carried out!

Leave a Reply