[wp-trac] [WordPress Trac] #10294: CSRF through the img tag
WordPress Trac
wp-trac at lists.automattic.com
Sun Jun 28 20:02:58 GMT 2009
#10294: CSRF through the img tag
--------------------------+-------------------------------------------------
Reporter: SaltwaterC | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: Security | Version: 2.8
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
The filtered HTML should be more ... well, filtered. Although Since
WordPress 2.8 you can't do CSRF with a link like this:
http://example.com/?logout=true&action=logout (where example.com holds a
WP installation) because the logout requires the _wpnonce parameter to be
specified into the GET request (2.7.1 has this issue), the installation is
still vulnerable to this type of CSRF against other sites. While this kind
of stuff is mostly annoying (as example <img
src="http://wordpress.org/extend/plugins/bb-login.php?logout" alt="" />
within a blog's post), it can be used for more severe actions.
I didn't started with the "filtered HTML" state by accident. This kind of
vulnerability can be triggered by blog users who actually have lower
privileges, thus using the filtered HTML feature which turns out to be
inefficient for this kind of issue.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10294>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list