[wp-trac] [WordPress Trac] #16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 3 18:18:14 UTC 2011
#16089: Cross-site Scripting Vulnerability in /wp-admin/setup-config
----------------------------+------------------
Reporter: danielmiessler | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.1
Component: General | Version: 3.1
Severity: critical | Resolution:
Keywords: has-patch |
----------------------------+------------------
Comment (by ericmann):
Replying to [comment:2 danielmiessler]:
> I think I followed the correct procedure.
No, you didn't.
> I went to wordpress.org, typed "report a vulnerability" into the search
field, and was given instructions on how to properly fill out a trac
ticket.
The page that comes up from that search
(http://codex.wordpress.org/Reporting_Bugs) has an explicit "Reporting
security issues" section that refers you to the Security FAQ page
(http://codex.wordpress.org/Security_FAQ). This section reminds you to
notify the vendor (the WordPress core team) privately rather than publicly
about exploits, and the Security FAQ page provides the actual contact
information.
It is bad practice to report security vulnerabilities in public. We need
time to patch the issue and provide an update to users before anyone who
would exploit the vulnerability gets a hold of it.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16089#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list