[wp-hackers] FWD: [BugTraq] Wordpress <= v2.1.0

Ryan Boren ryan at boren.nu
Tue Mar 6 17:11:05 GMT 2007


> If you're logged in into wordpress as an admin, your comments aren't
> properly
> sanitized, thus allowing an XSS to be posted. Normally an admin wouldn't
> input XSS input vectors, but we can make them do it with a simple XSRF
> script.

We've been talking what to do with this.  The current plan is to use
the comment_form hook to nonce comments for users with unfiltered_html
privs.  If the nonce is missing or invalid, the user will be stripped
of unfiltered_html and the comment will go through strict kses.  This
should accommodate themes that lack the comment_form hook.

Ryan


More information about the wp-hackers mailing list