[wp-hackers] Security Vulnerability found - Forum Post

Jeff Minard jeff at jrm.cc
Wed Apr 13 17:53:31 GMT 2005

John Sinteur wrote:
> Owner logs on, sees a new draft, clicks on it to view, and has just lost 
> his weblog.

That's pretty extreme. One person would have to invest a lot of time and 
technical knowledge to execute that kind of exploit for very little (one 
blog) payoff.

Additionally, if they do contain control (however they manage it, JS 
XMLhttprequest *might* work) then what? They log in, post a bunch of 
crap, hijack the blog for 20 minutes? Big deal. You should have backups, 
and they don't actually have any passwords (they only have md5'd 
cookies). So the recovery, sure, would be a pain, but would be quick. 
Combine that with the minimal likely hood of this happening and I don't 
think this comes close to anything critical.

Someone else brought this up a few days ago in the support forms - same 
bug, "Users can post malicious code to the blog via script/iframe tags" 
to which one responded, "So what you are saying is that trusted users 
can post HTML to a blog? Yeah. They can."

Seems way outta proportion.

Finally, the people who have the skill to do this -- and the motivation 
to hack -- would probably have bigger fish to fry than a multiuser, 
non-authenticated blog site.

The suggestion has been offered before: If you are really afraid of your 
users, write a plugin to do additional KS filtering on your blog content 
so that script/iframe/scary tags are removed. Problem solved.

  - Jeff

More information about the wp-hackers mailing list