[wp-hackers] XSS Vulnerability reported by a french geek
Mark Jaquith
mark.wordpress at txfx.net
Tue May 29 16:28:02 GMT 2007
On May 29, 2007, at 12:08 PM, Rob wrote:
> I agree, but out of interest why don't we nonce comments? It seems
> like we could stop a lot of comment spam and seal up this kind of
> vulnerability if we did.
>
> Theme compatibility issues?
We nonce admin comments (well, comments by anyone with the
unfiltered_html capability). If the nonce fails or isn't there, the
admin doesn't get to post unfiltered_html. That is what prevents
this POC from working.
Noncing all comments would be a club solution [1]. And it'd be
useless against spam bots who first slurp the form (and thus the
nonce). The more people who had this (like, if it were in core), the
less effective it would be. And yes, theme compatibility would be a
slight hurdle, though that's not the main reason.
==
[1] http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://coveredwebservices.com/
More information about the wp-hackers
mailing list