[wp-trac] Re: [WordPress Trac] #4344: Posting comments from
external websites
WordPress Trac
wp-trac at lists.automattic.com
Sun May 27 16:23:34 GMT 2007
#4344: Posting comments from external websites
-----------------------+----------------------------------------------------
Reporter: PsychoGun | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: |
-----------------------+----------------------------------------------------
Comment (by rob1n):
Replying to [comment:23 westi]:
> Replying to [comment:22 momo360modena]:
> > The explanation of rob1n is convenient for me ;)
> >
> > {{{
> > Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.
> > }}}
>
> Yes but that doesn't actually explain the fact that the POC does/doesn't
work.
>
> Yes a user with Unfiltered HTML can post javascript in a comment.
>
> The POC claims this can be automated with a remote posting javascript -
i.e. by visiting another site which does it with you stored cookies.
>
> This is however blocked by the nonce check I [comment:6 described above]
I just thought you guys had iterated that point tons of times already in
this ticket, so I didn't bother to mention it in that specific comment.
It's on the [long] record, though ;).
--
Ticket URL: <http://trac.wordpress.org/ticket/4344#comment:26>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list