[wp-hackers] Security Vulnerability found - Forum Pos

Amit Gupta amit at igeek.info
Wed Apr 13 17:42:28 GMT 2005


"Mike Little" <journalized at gmail.com>
> In my opinion, this isn't as much of a threat to WordPress as it 
seems.
> 
> In essence, the 'exploit' is that a registered user with posting 
permission can include any HTML, including javascript or an iframe,  in a 
post title or a post body. This javascript would then be executed or the 
iframe be visible in any readers browser!
> 
> That's right. It's a blogging system. It's a simplified CMS. It would 
be a pretty poor one without HTML.
> 
> In other words if you trust someone, including yourself, to post 
stories on your blog then you have to trust that they won't do anything 
naughty!
> 
> I don't see that that is any different from any situation where you 
allow someone trusted to put content on your site.
> 

That's correct & I support it. If you don't trust anyone, then don't give them the rights to POST. Its as simple as that!!


"John Sinteur" <john at sinteur.com>
> Consider this scenario:
> 
> on a weblog, "options - general" the owner has checked: "anyone can 
> register"
> in "options - writing" the owner has checked "Newly registered members: 
> May submit drafts for review" (or worse "May publish articles" but 
> let's forget about that for now)
> 
> Malicious user registers, writes a draft article, where the javascript 
> attempts to steal the admin cookie.
> 
> Owner logs on, sees a new draft, clicks on it to view, and has just 
> lost his weblog.

I'd say, if you want anyone to register & post on your blog, then there should be an option to disable the <script> tags etc. But disabling them by default & not having the option to enable them will be very restricting.


-----
Amit Gupta

|| Canned!! -- my Atropine || iG:Syntax Hiliter v2.01 ||
|| iGEEK.INFO || Free Nokia Ringtones || Online Gaming @ Games Planet || 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050413/03845329/attachment.html


More information about the wp-hackers mailing list