WordPress 3.0.4 released on Deecember 29, 2010 as the latest WordPress released in 2010. This released is a patch for XSS vulnerabilities in in the KSES library. And this release is considered as critical security update by WordPress.
What is KSES?
KSES is an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, and it also does several checks on attribute values. kses can be used to avoid Cross-Site Scripting (XSS). KSES is an open source project available on sourceforge. But it is a dead project and no longer maintain by the author.
How to produce the vulnearbilites
Kses HTML filter (wp-includes/kses.php) applies “bad protocol” check to all attribute values now. It treats string including a colon (:) as URI, and if the string doesn’t have an allowed protocol (http, https, ftp, …), it delete the letters before colon as a bad protocol.
Example:
<img src="something.png" alt="Something: here" />
will change to:
<img src="something.png" alt="here" />
“Something:” will be deleted because it will consider as bad protocol.
What file is patched
The core files that need patched only 2:
wp-includes/formatting.php wp-includes/kses.php
And other files revised:
wp-includes/version.php readme.html wp-admin/includes/update-core.php
For more detail about the changes WordPress trac.
