WordPress 3.0.4 released on Deecember 29, 2010 as the latest WordPress released in 2010. This released is a patch for XSS vulnerabilities in in the KSES library. And this release is considered as critical security update by WordPress.
What is KSES?
KSES is an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, and it also does several checks on attribute values. kses can be used to avoid Cross-Site Scripting (XSS). KSES is an open source project available on sourceforge. But it is a dead project and no longer maintain by the author.
How to produce the vulnearbilites
Kses HTML filter (wp-includes/kses.php) applies “bad protocol” check to all attribute values now. It treats string including a colon (:) as URI, and if the string doesn’t have an allowed protocol (http, https, ftp, …), it delete the letters before colon as a bad protocol.
Example:
1 | <img src="something.png" alt="Something: here" /> |
will change to:
1 | <img src="something.png" alt="here" /> |
“Something:” will be deleted because it will consider as bad protocol.
What file is patched
The core files that need patched only 2:
1 2 | wp-includes/formatting.phpwp-includes/kses.php |
And other files revised:
1 2 3 | wp-includes/version.phpreadme.htmlwp-admin/includes/update-core.php |
For more detail about the changes WordPress trac.
