Closed Bug 778316 Opened 12 years ago Closed 12 years ago

Fix XSS Before Installing Backend Localization Plugin

Categories

(Websites Graveyard :: blog.mozilla.org, defect)

Product:
Websites Graveyard
Component:
blog.mozilla.org
Version:
Firefox 6
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mfuller, Unassigned)

References

Details

(Keywords: wsec-xss) 

The Backend Localization plugin allows an admin WP area to be in a different language than the rest of the site. We need this plugin to allow English speakers to admin blogs in other countries.

During the security review of the plugin, XSS was found because the "kau-boys_backend_localization_language" parameter is not sanitized. The provided variable (such as en-US, de, etc.) is used within the comments of each page. Using ">--><script>alert(1);</script> as the payload causes the comment to be ended and the script to execute.

http://site.com/wp-admin/upload.php?kau-boys_backend_localization_language=%22%3E--%3E%3Cscript%3Ealert%281%29;%3C/script%3E

Because of the way the language file is saved, this XSS is further reflected on every admin page visited.

Before the plugin can be installed, we need to fix this. I will attempt to contact the developer, but a dev here could fix it if possible by simply escaping the parameter.
Just an update on this - the developer has replied and we are actively working on a fix which should be up in 1-2 days.
Plugin has been fixed - see 2.0.2 at http://wordpress.org/extend/plugins/kau-boys-backend-localization/changelog/
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: Websites → Websites Graveyard
Component: blog.mozilla.com/theden → blog.mozilla.org
Product: Websites Graveyard → Websites
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.