Cross-site scripting vulnerabilities
-
Our host has detected cross-site scripting vulnerabilities on the “a” and “thestate” parameters within your CGI files. At least from what I can tell from their log, it appears to be related to this plugin. Here is a part of their log:
Using the GET HTTP method, Site Scanner found that : + The following resources may be vulnerable to injectable parameter : + The 'a' parameter of the /comic-strip-submitted-to-dee-cote/ CGI : /comic-strip-submitted-to-dee-cote/?a=%00rnrfrh -------- output -------- <div class="entry-content"> <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" /> <input type="hidden" name="_wp_http_referer" value="/comic-strip-submitt ed-to-dee-cote/?a=%00rnrfrh" /><p>This content is restricted to site mem bers. If you are an existing user, please login. New users may registe r below.</p> <div class="wpmem_login"> <a name="login"></a></p> ------------------------ + The 'thestate' parameter of the /morgenthau-list-being-added/ CGI : /morgenthau-list-being-added/?thestate=%00rnrfrh -------- output -------- <div class="entry-content"> <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" /> <input type="hidden" name="_wp_http_referer" value="/morgenthau-list-bei ng-added/?thestate=%00rnrfrh" /><p>This content is restricted to site me mbers. If you are an existing user, please login. New users may regist er below.</p> <div class="wpmem_login"> <a name="login"></a></p>
According to the following url regarding your 2.8.1 release, the cross-site scripting exploit has been closed: http://rocketgeek.com/release-announcements/wp-members-2-8-1-release/
Can you confirm that this is still a valid issue and if so, when we might expect a new release to resolve it? Thanks.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘Cross-site scripting vulnerabilities’ is closed to new replies.