[wp-hackers] Reputed XSS issue with WordPress (templates.php)
Ryan Boren
ryan at boren.nu
Tue Feb 13 18:32:19 GMT 2007
On 2/13/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> >> Any managing action which allows custom JavaScript to be directly
> >> executed
> >> from a request is a XSS vulnerability and should be fixed.
> >
> > I didn't get XSS with the sample exploit link. Once I clicked through
> > the AYS though, I got another AYS and XSS. We just need to
> > specialchars the output of wp_explain_nonce().
>
> That's indeed the best fix for this issue, but I hope my other mail
> proofed that this can be used for XSS. (That the original exploit code
> didn't do much doesn't mean it can't be adapted)
Yes. I had to play with it but managed to trigger XSS. I put a fix in
for 2.0, 2.1, and trunk for everyones review and testing.
Ryan
More information about the wp-hackers
mailing list