[wp-trac] [WordPress Trac] #10294: CSRF through the img tag

WordPress Trac wp-trac at lists.automattic.com
Sun Jun 28 20:02:58 GMT 2009

#10294: CSRF through the img tag
 Reporter:  SaltwaterC    |       Owner:  ryan      
     Type:  defect (bug)  |      Status:  new       
 Priority:  normal        |   Milestone:  Unassigned
Component:  Security      |     Version:  2.8       
 Severity:  normal        |    Keywords:            
 The filtered HTML should be more ... well, filtered. Although Since
 WordPress 2.8 you can't do CSRF with a link like this:
 http://example.com/?logout=true&action=logout (where example.com holds a
 WP installation) because the logout requires the _wpnonce parameter to be
 specified into the GET request (2.7.1 has this issue), the installation is
 still vulnerable to this type of CSRF against other sites. While this kind
 of stuff is mostly annoying (as example <img
 src="http://wordpress.org/extend/plugins/bb-login.php?logout" alt="" />
 within a blog's post), it can be used for more severe actions.

 I didn't started with the "filtered HTML" state by accident. This kind of
 vulnerability can be triggered by blog users who actually have lower
 privileges, thus using the filtered HTML feature which turns out to be
 inefficient for this kind of issue.

Ticket URL: <http://core.trac.wordpress.org/ticket/10294>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list