Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

WordPress 3.3.2 Addresses Setup XSS Vulnerabilities

Back in January we released a security advisory for WordPress, which included four vulnerabilities in the installation scripts. After discussing these issues with the WordPress team, it was decided that the vulnerabilities were not going to be fixed immediately in WordPress core considering the severity and the short window of exploitability of these issues.

Last Friday, the WordPress team released version 3.3.2, which includes a number of security improvements. Some of these improvements addressed the cross-site scripting vulnerabilities identified in our January advisory. In reviewing the changes that contributed to this fix, we noticed that WordPress addressed the issue from more than one perspective and we will cover some of them in this post.

Having access to source code can make evaluating security patches for any product a lot easier. For an open source project like WordPress, which hosts a public subversion repository, it is especially easy to get access to multiple versions. WordPress is currently hosting every version from version 1.5 to current so you can easily step into the way-back machine and see what changed between versions. All of these versions can be found here.

If you want to look at all the changes between version 3.3.1 and 3.3.2 you could just diff both releases in their entirety by checking them out and using 'diff -r 3.3.1/ 3.3.2/'. However, unless you are interested in reading through the 11,000+ changes between these versions, you need to reduce scope. Since the previously reported issue was with the /wp-admin/setup-config.php file, starting there is a good idea.

9952_73c3eff9-8b44-4ba1-9970-423e6f95ce46
What you are seeing in the above diff are three basic additions that make the WordPress installation script more resilient against JavaScript or HTML injection:

  • wp_unregister_GLOBALS – This is a basic defensive function to prevent variable overrides with implementations that enable register globals in their PHP configuration. It simply unsets (aka: destroys) the locally scoped instances of non-white listed global variables so that user-supplied input cannot override them.
  • wp_magic_quotes – This function is another defensive function used to clean up variable inputs. It escapes input data to make it safer for the application to process and can help prevent JavaScript and HTML injection vulnerabilities.
  • formatting.php – This is an include for the main formatting API that WordPress uses for a lot of its text wrangling. Oddly enough, in this particular case, it does not appear to be used.

Checking a handful of commit messages around the same time frame revealed that the next commit also contained changes that help with these issues. These changes sanitize the output of database error messages that are presented when the XSS vulnerability is demonstrated.

9662_65b43b6b-db70-45c5-a5a8-c829a1480db6
The built-in "htmlspecialchars" function is used above, which prevents the dbuser and dbhost variables from containing valid JavaScript/HTML markup that would be interpreted when they are displayed/output to the end user. Therefore, if someone managed to bypass the additional input controls added in the first set of changes, they would also have to deal with additional sanitation of their output. This makes it much more difficult for an attacker to use this attack vector.

For those of you running WordPress as a blogging and/or CMS system, a number of other important security updates where included in last Friday's release. If you are not running the current stable version already, upgrading to the latest version is highly recommended.

PS - Kudos to the WordPress team on their recent 3.3.2 release and by addressing this issue and many others at multiple levels in the WordPress core.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo