BUGTRAQ ID: 34075 WordPress MU允许在单个wordpress安装上运行多个博客。 WordPress MU的choose_primary_blog函数没有正确地过滤Host头。以下是wp-includes/wpmu-functions.php中的有漏洞代码段: 1830 function choose_primary_blog() { 1831 global $current_user; 1832 ?> 1833 <table class="form-table"> 1834 <tr> 1835 <th scope="row"><?php _e('Primary Blog'); ?></th> 1836 <td> 1837 <?php 1838 $all_blogs = get_blogs_of_user( $current_user->ID ); 1839 if( count( $all_blogs ) > 1 ) { 1840 $primary_blog = get_usermeta($current_user->ID, 'primary_blog'); 1841 ?> 1842 <select name="primary_blog"> 1843 <?php foreach( (array) $all_blogs as $blog ) { ?> 1844 <option value='<?php echo $blog->userblog_id ?>'<?php if( $primary_blog == $blog->userblog_id ) echo ' selected="selected"' ?>>http://<?php echo $blog->domain.$blog->path ?></option> 1845 <?php } ?> 1846 </select> 1847 <?php 1848...
BUGTRAQ ID: 34075 WordPress MU允许在单个wordpress安装上运行多个博客。 WordPress MU的choose_primary_blog函数没有正确地过滤Host头。以下是wp-includes/wpmu-functions.php中的有漏洞代码段: 1830 function choose_primary_blog() { 1831 global $current_user; 1832 ?> 1833 <table class="form-table"> 1834 <tr> 1835 <th scope="row"><?php _e('Primary Blog'); ?></th> 1836 <td> 1837 <?php 1838 $all_blogs = get_blogs_of_user( $current_user->ID ); 1839 if( count( $all_blogs ) > 1 ) { 1840 $primary_blog = get_usermeta($current_user->ID, 'primary_blog'); 1841 ?> 1842 <select name="primary_blog"> 1843 <?php foreach( (array) $all_blogs as $blog ) { ?> 1844 <option value='<?php echo $blog->userblog_id ?>'<?php if( $primary_blog == $blog->userblog_id ) echo ' selected="selected"' ?>>http://<?php echo $blog->domain.$blog->path ?></option> 1845 <?php } ?> 1846 </select> 1847 <?php 1848 } else { 1849 echo $_SERVER['HTTP_HOST']; <- HERE 1850 } 1851 ?> 1852 </td> 1853 </tr> 1854 </table> 1855 <?php 1856 } 在1849行的echo $_SERVER['HTTP_HOST'];,远程攻击者可以通过HTTP Host头注入HTML和脚本代码。 WordPress MU < 2.7 厂商补丁: WordPress --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://wordpress.org/ target=_blank rel=external nofollow>http://wordpress.org/</a>
