[wp-trac] [WordPress Trac] #16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 3 18:18:14 UTC 2011


#16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config
----------------------------+------------------
 Reporter:  danielmiessler  |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  3.1
Component:  General         |     Version:  3.1
 Severity:  critical        |  Resolution:
 Keywords:  has-patch       |
----------------------------+------------------

Comment (by ericmann):

 Replying to [comment:2 danielmiessler]:
 > I think I followed the correct procedure.

 No, you didn't.

 > I went to wordpress.org, typed "report a vulnerability" into the search
 field, and was given instructions on how to properly fill out a trac
 ticket.

 The page that comes up from that search
 (http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting
 security issues" section that refers you to the Security FAQ page
 (http://codex.wordpress.org/Security_FAQ).  This section reminds you to
 notify the vendor (the WordPress core team) privately rather than publicly
 about exploits, and the Security FAQ page provides the actual contact
 information.

 It is bad practice to report security vulnerabilities in public.  We need
 time to patch the issue and provide an update to users before anyone who
 would exploit the vulnerability gets a hold of it.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16089#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list