[wp-hackers] XSS Vulnerability reported by a french geek
Aaron Brazell
abrazell at b5media.com
Tue May 29 16:18:52 GMT 2007
Yeah I know. I defended you in one of the tickets because the guy was
being an ass to everyone who was pointing out that the POC doesn't
work. That's why I say "I still still still". :)
--
Aaron Brazell
Director of Technology, b5media
"A Global New Media Company"
www:: www.b5media.com
my www: www.technosailor.com
phone:: 410-608-6620
fax:: 416-849-0347
skype:: technosailor
Everything contained in this email is confidential and stuff.
On May 29, 2007, at 12:11 PM, Peter Westwood wrote:
> This report has been discussed to death on trac [1]
>
> The long and the short of it is:
>
> The POC doesn't work.
>
> Yes any user with Unfiltered HTML can post javascript in a comment.
>
> The POC claims this can be automated with a remote posting
> javascript -
> i.e. by visiting another site which does it with your stored cookies.
>
> This is however blocked by a specific nonce check as I described in
> [2]
More information about the wp-hackers
mailing list