[wp-trac] Re: [WordPress Trac] #5313: no user checking if the "post_type" is set to page

WordPress Trac wp-trac at lists.automattic.com
Sat Feb 2 16:39:34 GMT 2008


#5313: no user checking if the "post_type" is set to page
-----------------------------+----------------------------------------------
 Reporter:  Columcille       |        Owner:  josephscott
     Type:  defect           |       Status:  new        
 Priority:  highest omg bbq  |    Milestone:  2.5        
Component:  Security         |      Version:  2.3.1      
 Severity:  critical         |   Resolution:             
 Keywords:                   |  
-----------------------------+----------------------------------------------
Changes (by lloydbudd):

  * summary:  iframe being injected => no user checking if the "post_type"
              is set to page

Old description:

> Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a
> security issue in xml-rpc:
>
> A personal has to already have an account on your blog, or be able to
> create an account (subscription)
>
> WORKAROUND: if enabled, disable subscription to your blog, or remove
> xmlrpc.php .
>
> There is no user checking if the "post_type" is set to page.
>
> http://wordpress.org/support/topic/134928/page/2#post-686510
> http://www.theseekerblog.com/?p=284
> http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-
> confirmed/

New description:

 There is no user checking if the "post_type" is set to page.

 Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a
 security issue in xml-rpc:

 A personal has to already have an account on your blog, or be able to
 create an account (subscription)

 WORKAROUND: if enabled, disable subscription to your blog, or remove
 xmlrpc.php .

 http://wordpress.org/support/topic/134928/page/2#post-686510
 http://www.theseekerblog.com/?p=284
 http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-
 confirmed/

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5313#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list