[wp-hackers] Plugin version number from WP.org sanitized?
viper at viper007bond.com
Tue Dec 4 22:20:28 GMT 2007
Okay, I made a ticket and wrote a patch:
On 12/4/07, Otto <otto at ottodestruct.com> wrote:
> Even if WP.org is safely doing the right thing, this is a security
> issue that needs to be fixed. It's unsanitized data from a third party
> Okay, so spoofing the DNS to redirect what "wordpress.org" means to
> the webserver would be a bit of a long way to go to hack a website,
> but it can still be done.
> On 12/3/07, Viper007Bond <viper at viper007bond.com> wrote:
> > I've been playing around with the plugin update checker (writing a new
> > plugin that uses the data) and noticed that the data retrieved from
> > WP.orgis displayed raw:
> > printf( __('There is a new version of %s available. <a
> > version %s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version
> > Does this mean WP.org automatically htmlspecialchars() the version
> > and such or was this overlooked?
> > What if I commit a new version of my plugin and put this as the version
> > number: 1.2.3<script>alert('omfghax');</script>
> > The same goes for plugin titles.
> > Wondering both for my plugin's sake and for security's sake.
> > --
> > Viper007Bond | http://www.viper007bond.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
Viper007Bond | http://www.viper007bond.com/
More information about the wp-hackers