[wp-hackers] XSS Vulnerability reported by a french geek

Peter Westwood peter.westwood at ftwr.co.uk
Tue May 29 16:11:24 GMT 2007


On Tue, May 29, 2007 4:49 pm, Aaron Brazell wrote:
> I still still still don't see this as an actual flaw. unfiltered_html
> is a capability that an administrator should have. If the person has
> administrative rights, well they can delete the whole blog. Is that
> classified as a security risk too?
> --
> Aaron Brazell
> Director of Technology, b5media
> "A Global New Media Company"
>
> www:: www.b5media.com
> my www: www.technosailor.com
> phone:: 410-608-6620
> fax:: 416-849-0347
> skype:: technosailor
>
> Everything contained in this email is confidential and stuff.
>
>
>
>
> On May 29, 2007, at 11:46 AM, Gali wrote:
>
>> http://ar3av.free.fr/faillewordpress.php
>> ( 27 / 05 / 2007 )
>>
>> versions : 2.2 and previous versions.
>>
>> A site could lead a blog administrator to post a malicious javascript
>> in comments, resulting in an open door to XSS.

This report has been discussed to death on trac [1]

The long and the short of it is:

The POC doesn't work.

Yes any user with Unfiltered HTML can post javascript in a comment.

The POC claims this can be automated with a remote posting javascript -
i.e. by visiting another site which does it with your stored cookies.

This is however blocked by a specific nonce check as I described in [2]

[1] - http://trac.wordpress.org/ticket/4344
[2] - http://trac.wordpress.org/ticket/4344#comment:6

westi
-- 
Peter Westwood <peter.westwood at ftwr.co.uk>
http://blog.ftwr.co.uk


More information about the wp-hackers mailing list