[wp-hackers] Security Vulnerability found - Forum Post
Jeff Minard
jeff at jrm.cc
Wed Apr 13 17:53:31 GMT 2005
John Sinteur wrote:
> Owner logs on, sees a new draft, clicks on it to view, and has just lost
> his weblog.
That's pretty extreme. One person would have to invest a lot of time and
technical knowledge to execute that kind of exploit for very little (one
blog) payoff.
Additionally, if they do contain control (however they manage it, JS
XMLhttprequest *might* work) then what? They log in, post a bunch of
crap, hijack the blog for 20 minutes? Big deal. You should have backups,
and they don't actually have any passwords (they only have md5'd
cookies). So the recovery, sure, would be a pain, but would be quick.
Combine that with the minimal likely hood of this happening and I don't
think this comes close to anything critical.
Someone else brought this up a few days ago in the support forms - same
bug, "Users can post malicious code to the blog via script/iframe tags"
to which one responded, "So what you are saying is that trusted users
can post HTML to a blog? Yeah. They can."
Seems way outta proportion.
Finally, the people who have the skill to do this -- and the motivation
to hack -- would probably have bigger fish to fry than a multiuser,
non-authenticated blog site.
The suggestion has been offered before: If you are really afraid of your
users, write a plugin to do additional KS filtering on your blog content
so that script/iframe/scary tags are removed. Problem solved.
- Jeff
More information about the wp-hackers
mailing list