[wp-hackers] Forum Help

Matthew Thomas mpt at myrealbox.com
Sun May 15 17:55:50 GMT 2005

Matthew Mullenweg wrote:
> I know it takes the wind out of your "advisory"
(Who are you quoting there?)
> but these are all primitive forms of XSS that WP already protects
> against.

Ah, so that's what I was missing. :-) Great. It looks like the code you 
linked to doesn't protect against links in comments and trackbacks when 
they appear inside the admin interface for moderation. And it doesn't 
protect people using GWA (though I see you have a patch for that), or 
people using another prefetching accelerator. And it doesn't let you 
have Referers turned off a la RFC 2616 section 15.1.3 (but you knew that 
already). And it makes extra work for anyone who renames the wp-admin/ 
directory to deter attackers. Using POST buttons where appropriate, 
instead of links, would fix all those problems, but I guess there's some 
good reason for not using them.

> In addition a API hook was added prior to the release of 1.5.1 in order
> to make plugins that block the GWA extra easy:
> http://trac.wordpress.org/changeset/2595

If we're still talking about the admin interface, a plug-in will protect 
those people who know they need to install it, which is better than 
protecting no-one. Again, using POST buttons would protect everyone, 
whether they were using GWA or any other accelerator, but oh well.

If we're talking about visitors in general, IMO the "Reading" options 
page would be a good place for a prefetcher-blocking checkbox.

Matthew Thomas

More information about the wp-hackers mailing list