[wp-testers] ajax + security hole = ?
Robert Deaton
false.hopes at gmail.com
Tue Apr 3 04:15:51 GMT 2007
Commonly, this is only going to be exploitable in any meaningful
fashion if there is javascript code from the remote site (WP in this
case) that is being eval()ed, and because we aren't using JSON and
afaik we're not doing any eval magic to store information in variables
(especially since all our AJAX interaction currently in WP is limited
to little more than submitting info and checking for a success value).
So, my first bet would be this isn't a worry for us as WP stands.
On 4/2/07, Dan Milward <dan at instinct.co.nz> wrote:
> I wonder if this sort of attack makes wordpress sites vulnerable?
> http://it.slashdot.org/article.pl?sid=07/04/02/1113242
>
> Ciao,
>
> Dan
>
> Lloyd Budd wrote:
> > On 4/2/07, Anu Gupta DCSA <anugupta at pu.ac.in> wrote:
> >>
> >> To have the Online Questionnaire, please visit:
> >>
> >> http://anu.puchd.ac.in/phpESP/public/survey.php?name=FOSS_Defect_Survey
> >
> > It would awesome if all of us on this list filled out the survey! I am
> > very interested in other WordPress participants answers and how it
> > relates to other open source products.
> >
> > I have published my own answers (with comments) at
> > http://testingopensource.com/a-survey-on-current-practices-in-defect-management-in-freeopen-source-software/
> >
> >
> > Thanks,
>
> --
> Instinct Entertainment Limited
> Level 3, Education House, 178 Willis Street
> PO Box 12-519, Wellington, New Zealand
> Ph. 64-4-385 8082
> Mobile. 021-449 901
> dan at instinct.co.nz
> http://www.instinct.co.nz
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
--
--Robert Deaton
http://lushlab.com
More information about the wp-testers
mailing list