[wp-trac] Re: [WordPress Trac] #5313: no user checking if the
"post_type" is set to page
WordPress Trac
wp-trac at lists.automattic.com
Sat Feb 2 16:39:34 GMT 2008
#5313: no user checking if the "post_type" is set to page
-----------------------------+----------------------------------------------
Reporter: Columcille | Owner: josephscott
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.5
Component: Security | Version: 2.3.1
Severity: critical | Resolution:
Keywords: |
-----------------------------+----------------------------------------------
Changes (by lloydbudd):
* summary: iframe being injected => no user checking if the "post_type"
is set to page
Old description:
> Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a
> security issue in xml-rpc:
>
> A personal has to already have an account on your blog, or be able to
> create an account (subscription)
>
> WORKAROUND: if enabled, disable subscription to your blog, or remove
> xmlrpc.php .
>
> There is no user checking if the "post_type" is set to page.
>
> http://wordpress.org/support/topic/134928/page/2#post-686510
> http://www.theseekerblog.com/?p=284
> http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-
> confirmed/
New description:
There is no user checking if the "post_type" is set to page.
Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a
security issue in xml-rpc:
A personal has to already have an account on your blog, or be able to
create an account (subscription)
WORKAROUND: if enabled, disable subscription to your blog, or remove
xmlrpc.php .
http://wordpress.org/support/topic/134928/page/2#post-686510
http://www.theseekerblog.com/?p=284
http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-
confirmed/
--
Ticket URL: <http://trac.wordpress.org/ticket/5313#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list