XSS attack – WP unsecure

Viewing 2 replies - 1 through 2 (of 2 total)

  • Short version: that advisory is bogus. Commenter URLs are stripped of all quotes and other invalid characters before storage and display.

    Long version: the scripting code the author demonstrates only works when the following are true:
    1. The visitor commented on the site in question with that code in his url, or had cookies planted in his browser to mimic the effect of leaving a comment with that code in the url.
    2. The visitor is not logged in to the site in question (logged-in visitors do not see the URL input box) and therefore does not have his credentials in his browser’s cookies, so they cannot be stolen by any script in the comment form.

    Here’s a patch that eliminates any further annoyances caused by this effect:

    https://trac.www.ads-software.com/ticket/2454

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘XSS attack – WP unsecure’ is closed to new replies.

Tags