WordPress 2.6.3 XSS RSS Feed Generator Vulnerability Revealed. Mitigated.
Due to what we consider a critical and of course, an exploitable vulnerability in the RSS subsystem in WordPress 2.6.3 and below, WordPress has released a fix, and moved to version 2.6.5. The links to the new version, and other information are available after the jump, along with the FullDisclosure Vulnerability announcement from Jeremias Reith.
WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release. The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package. 2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5. Note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4.
Nov 26th, 2008 at 12:35
If you’re running WordPress, you need to upgrade: http://tinyurl.com/6yqjrc
Nov 28th, 2008 at 02:08
[...] While the details are quite technical, it involves an unsanitized $_SERVER variable and the WordPress feeds output (Both Atom feeds and RSS 2.0). Just like unwashed hands spreading germs, uncleaned data from the server can have nasty surprises in them – and the feeds code doesn’t clean it well enough (until 2.6.5 that is). That possibly ’surprise’ can then possibly affect all viewers of the feed (if you’re interested in the technical bulletin, you can read them at infosecurity). [...]