[wp-trac] Re: [WordPress Trac] #10294: CSRF through the img tag
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 1 07:05:24 UTC 2009
#10294: CSRF through the img tag
--------------------------+-------------------------------------------------
Reporter: SaltwaterC | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: 2.8
Severity: normal | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Changes (by SaltwaterC):
* status: closed => reopened
* resolution: invalid =>
Comment:
The fact that WordPress is unaffected by this issue, it doesn't mean that
WordPress is safe for others. This slip from properly parse the HTML can
be used as attack vector against '''other sites''', thus making WordPress
kinda useless for creating an open publishing platform where anyone can
sign up and provide content. Isn't this one of those Web 2.0 thingy, the
user generated content? Well, that user generated content should better be
safe for others.
Please do us all a favor: fire up a WordPress instance, create a new
article as an unprivileged user who has filtered HTML on, then embed these
couple of 'images'. In order to work you need to be authenticated on
wordpress.org and core.trac.wordpress.org:
<img src="http://wordpress.org/extend/plugins/bb-login.php?logout" alt=""
/>
<img src="http://core.trac.wordpress.org/logout" alt="" />
Then please visit wordpress.org and core.trac.wordpress.org again. Do you
notice something? This demonstration has minimal effects, but the
potential is greater. Please remember that WordPress roles can be changed,
thus someone with contributor privileges may post content without the
approval of an admin/editor if the site is designed for that purpose.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10294#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list