[wp-hackers] Forum Help
Matthew Thomas
mpt at myrealbox.com
Sun May 15 17:55:50 GMT 2005
Matthew Mullenweg wrote:
>...
> I know it takes the wind out of your "advisory"
(Who are you quoting there?)
> but these are all primitive forms of XSS that WP already protects
> against.
Ah, so that's what I was missing. :-) Great. It looks like the code you
linked to doesn't protect against links in comments and trackbacks when
they appear inside the admin interface for moderation. And it doesn't
protect people using GWA (though I see you have a patch for that), or
people using another prefetching accelerator. And it doesn't let you
have Referers turned off a la RFC 2616 section 15.1.3 (but you knew that
already). And it makes extra work for anyone who renames the wp-admin/
directory to deter attackers. Using POST buttons where appropriate,
instead of links, would fix all those problems, but I guess there's some
good reason for not using them.
> In addition a API hook was added prior to the release of 1.5.1 in order
> to make plugins that block the GWA extra easy:
>
> http://trac.wordpress.org/changeset/2595
>...
If we're still talking about the admin interface, a plug-in will protect
those people who know they need to install it, which is better than
protecting no-one. Again, using POST buttons would protect everyone,
whether they were using GWA or any other accelerator, but oh well.
If we're talking about visitors in general, IMO the "Reading" options
page would be a good place for a prefetcher-blocking checkbox.
--
Matthew Thomas
http://mpt.net.nz/
More information about the wp-hackers
mailing list