[wp-hackers] Reputed XSS issue with WordPress (templates.php)

Robin Adrianse robin.adr at gmail.com
Tue Feb 13 16:02:43 GMT 2007


That's hardly a security problem... if someone has the ability to edit
files, they can do much more than that.

On 2/13/07, Alex Günsche <ag.ml2007 at zirona.com> wrote:
>
> Hello,
>
> Today, SecurityFocus reports a Cross-Site Scripting vulnerability for
> WordPress (http://www.securityfocus.com/bid/22534).
>
> However, (at least in my opinion) this is not a real security issue,
> because a user who wants to execute the URL given in the PoC exploit
> code must be logged in and have at least the capability to edit files.
> If the user is not logged in, he will be asked to do so; if he doesn't
> have the capabilities to edit files, the script will abort immediately.
> Please see wp-admin/templates.php, ll. 37-60, especially ll. 40-41.
>
> So, it might be possible that a user can inject JS via the URL as
> displayed in the PoC, but when he is able to do this, he would actually
> be able to write the JS into one of the other WP files anyway (given
> they are server-writable). The capability of editing files is usually a
> privilege to administrators in WordPress.
>
>
> Best regards,
> Alex Günsche
>
> --
> Alex Günsche, Zirona OpenSource-Consulting
> work: http://www.zirona.com/ | leisure: http://www.roggenrohl.net
> PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list