[wp-hackers] Security Vulnerability found - Forum Post

Mike Little journalized at gmail.com
Wed Apr 13 15:29:42 GMT 2005


On 4/13/05, Podz <podz at tamba2.org.uk> wrote:
> http://wordpress.org/support/topic.php?id=30721
> 
> Code has been posted on the forum.
> Could someone who knows what's what advise ?
> 
> 


I've responded with my *opinion* of the situation on the forums.

> In my opinion, this isn't as much of a threat to WordPress as it seems.
> 
> In essence, the 'exploit' is that a registered user with posting permission can include any HTML, including javascript or an iframe,  in a post title or a post body. This javascript would then be executed or the iframe be visible in any readers browser!
> 
> That's right. It's a blogging system. It's a simplified CMS. It would be a pretty poor one without HTML.
> 
> In other words if you trust someone, including yourself, to post stories on your blog then you have to trust that they won't do anything naughty!
> 
> I don't see that that is any different from any situation where you allow someone trusted to put content on your site.
> 
> Maybe someone could produce a plug-in that disables all html for use on a multi author site where you don't trust the authors! Perhaps you might want to only allow them to use Textile or Markdown, though neither cover all that you might want to do in a post.
> Anyway, the above code is simplistic and inappropriate. There are better ways of sanitizing text. Take a look at the use of the kses filter.
> 
> 

Mike
-- 
Mike Little
http://zed1.com/journalized/


More information about the wp-hackers mailing list