[wp-hackers] Reputed XSS issue with WordPress (templates.php)
Ryan Boren
ryan at boren.nu
Tue Feb 13 18:15:19 GMT 2007
On 2/13/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> > On Tue, 2007-02-13 at 17:44 +0100, Bas Bosman wrote:
> >> This can be triggered by users without the edit files capability. You
> >> just
> >> have to trick somebody with that capability to click that specially
> >> crafted link, by mailing a link or posting it in a comment for instance.
> >
> > Maybe so, but doesn't this fall into the "social engineering" category?
> >
> > With the same arguments, you could say that other managing actions which
> > are triggered by a GET request are vulnerable to XSS attacks.
>
> Yes, but that's why they're called cross-site scripting attacks. They can
> be triggered from other sites.
>
> Any managing action which allows custom JavaScript to be directly executed
> from a request is a XSS vulnerability and should be fixed.
I didn't get XSS with the sample exploit link. Once I clicked through
the AYS though, I got another AYS and XSS. We just need to
specialchars the output of wp_explain_nonce().
Ryan
More information about the wp-hackers
mailing list