[wp-trac] Re: [WordPress Trac] #4344: Posting comments from
external websites
WordPress Trac
wp-trac at lists.automattic.com
Sun May 27 16:17:52 GMT 2007
#4344: Posting comments from external websites
-----------------------+----------------------------------------------------
Reporter: PsychoGun | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: |
-----------------------+----------------------------------------------------
Comment (by westi):
Replying to [comment:22 momo360modena]:
> The explanation of rob1n is convenient for me ;)
>
> {{{
> Unfiltered HTML is a CAPABILITY GRANTED TO THE ADMINISTRATOR.
> }}}
Yes but that doesn't actually explain the fact that the POC does/doesn't
work.
Yes a user with Unfiltered HTML can post javascript in a comment.
The POC claims this can be automated with a remote posting javascript -
i.e. by visiting another site which does it with you stored cookies.
This is however blocked by the nonce check I [comment:6 described above]
--
Ticket URL: <http://trac.wordpress.org/ticket/4344#comment:23>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list