[wp-hackers] FW: Wordpress All versions XSS
Chris
chris.hearn01 at ntlworld.com
Thu May 3 10:12:23 GMT 2007
Although I think the default sidebar code still does contain several
references to bloginfo('home')...along the lines of
<p>You are currently browsing the <a href="<?php bloginfo('home');
Chris
Robin Adrianse wrote:
> We deprecated "home" a while back, and now it's "url" for the homepage
> and
> "wpurl" for the WP installation.
>
> On 5/2/07, Jeremy Visser <jeremy.visser at gmail.com> wrote:
>>
>> wordpress at nazgul.nu wrote:
>> > <form method="get" id="searchform" action="<?php echo
>> > $_SERVER['PHP_SELF']; ?>">
>>
>> WordPress' default theme is not vulnerable:
>>
>> > <form method="get" id="searchform" action="<?php bloginfo('url');
>> ?>/">
>>
>> Neither is classic:
>>
>> > <form id="searchform" method="get" action="<?php bloginfo('home');
>> ?>">
>>
>> Oh, by the way, which is better to get the URL from? home or url?
>>
>> --
>> Jeremy Visser
>>
>> () ascii ribbon campaign - against html e-mail
>> /\ www.asciiribbon.org - against proprietary attachments
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list