plaintxt.org » preemptive http://www.plaintxt.org Minimalism in blog design, an experiment Fri, 22 Jan 2010 17:20:40 +0000 en hourly 1 Vulnerability in Sandbox fixed http://www.plaintxt.org/2009/06/vulnerability-in-sandbox-fixed/ http://www.plaintxt.org/2009/06/vulnerability-in-sandbox-fixed/#comments Sat, 20 Jun 2009 01:27:22 +0000 Scott http://www.plaintxt.org/?p=509 anoncobard, a cross-site scripting vulnerability in prior Sandbox versions has been fixed. I ask all Sandbox users to download Sandbox 1.6.1 and upgrade.]]> Thanks to WordPress user anoncobard, a cross-site scripting vulnerability in prior Sandbox versions has been fixed. I ask all Sandbox users to download Sandbox 1.6.1 and upgrade.

In the Sandbox functions.php, the pagination variable in the sandbox_body_class() passed an unsanitized variable that could be exploited using XSS.

See line 128 in the file:

if ( ( ( $page = $wp_query->get('paged') ) || ( $page = $wp_query->get('page') ) ) && $page > 1 ) {

The variable $page is never validated before it is passed to the function and then to the page. By simply adding $page = intval($page); (thanks to Andy), we make sure what is passed is only a number (see the diff of the changes).

This has also been fixed for the Sandbox theme for WordPress.com accounts. Please note that there have been no reports the Sandbox theme being exploited, so we are glad that we were able to correct this weakness before it was announced.

Now get back to playing in your Sandbox.

]]> http://www.plaintxt.org/2009/06/vulnerability-in-sandbox-fixed/feed/ 8