[wp-trac] [WordPress Trac] #36260: WordPress failed in HP Fortify Scan

WordPress Trac noreply at wordpress.org
Wed Mar 16 08:39:39 UTC 2016


#36260: WordPress failed in HP Fortify Scan
--------------------------+-----------------------------
 Reporter:  j4m35bond     |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  4.4.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Dear Support,

 Our WordPress project does not approve to go live due to a lot of XSS loop
 hole as a scan result by <HP Fortify Scan>. Does WordPress provide any
 security patch or updates to fix the loophole?

 Is it valid that it is really a security threat?
 Example report return by Fortify Scan:


 wp-admin/js/press-this.js, line 291 (Cross-Site Scripting: DOM) Critical
 Issue Details
 Kingdom: Input Validation and Representation
 Scan Engine: SCA (Data Flow)
 Source Details
 Source: Read response.data.redirect
 From: lambda
 File: wp-admin/js/press-this.js:291
 -----------------------------------------------------------------
 288 } else if ( response.data.redirect ) {
 289 if ( window.opener && ( settings.redirInParent ||
 response.data.force ) ) {
 290 try {
 291 window.opener.location.href = response.data.redirect;
 292
 293 window.setTimeout( function() {
 294 window.self.close();

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36260>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list