WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Security Issue - Popup Url Preview in Admin Section (5 posts)

  1. optricsdavid
    Member
    Posted 2 years ago #

    Hi,

    I've run across something that I think presents a potential security issue inside the admin section of WordPress.

    While handling some of the spam comments that we receive, I noted the url section where their "website" would have been entered.

    I hovered over it to see where it might <actually> be pointing, and was surprised to see a "popup preview".

    - that would mean that some content was being pulled down from their website (had they entered one). If it was a link to malware, it would pull down the malware to our server?

    Here is a screenshot to illustrate

    http://www.optrics.com/images/wordpress-spam-url-preview.gif

    We are a network security firm, and I wanted to bring this up, as we have to look at these issues (like when Firefox first "pre-pulled" Google search result content to "speed up search" - and we deactivated it).

    Thanks
    David

  2. Please email security concerns to security [at] wordpress.org. Include as much detail as you can.

    Per http://codex.wordpress.org/Security_FAQ

  3. Joseph Scott
    Member
    Posted 2 years ago #

    The preview image is generated by a WordPress.com image. In many ways not unlike the Google Instant Preview.

    The only server that pulls down content is the service that generates the preview image. The only thing your browser downloads in the preview image from the WordPress.com service that generated it.

  4. optricsdavid
    Member
    Posted 2 years ago #

    Thanks for the info. That makes sense.

    With issues like a malware site tricking people into pulling down an image, I was wondering if this might be an issue.

    I guess, that if the "wordpress service" that pulls down the image pulled down malware it might be serving it up, but I would suppose the "service" hopefully has antivirus running.

    Thanks again for the clarification!

  5. It's the same server that runs this site (well same server 'cluster' I guess) so if it's got a problem, everything WP related is in trouble ;)

Topic Closed

This topic has been closed to new replies.

About this Topic