XSS in post.php | WordPress.org

pedrojrulez
(@pedrojrulez)

19 years ago

It’s possible to achieve some attacks (like phising) by
performing a post like this (from wp-admin/post.php):

<script>window.location=String.fromCharCode(104,116,116,112,...);</script>

As WP won’t dump quotes -but &#…;-, you must build
the URL by passing UNICODE character codes to
String.fromCharCode().

(Tested with Firefox 1.0.2, IE 6.0, WP 1.5 under Fedora
Core 3, PHP 4.3.10.)

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Matt Mullenweg
(@matt)

19 years ago

So you’re saying that you can post content in your admin area and then people who see your blog will see that content? WP does not sanitize posts, whatever you put in there is shown to your blog visitors.

Dougal Campbell
(@dougal)

19 years ago

Right, this is not any kind of “bug” in WP. If you can’t trust a user to not publish “unsafe” code, then you probably shouldn’t be giving them post permissions.

That said, it would probably be trivial to whip up a plugin that would filter post content through kses for users below a certain level, just as comments currently are.

chuyskywalker
(@chuyskywalker)

19 years ago

Heh…

davidhouse
(@davidhouse)

19 years ago

This is surely possible with or without WordPress. Like dougal said, if you can’t trust an author, don’t make them an author.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘XSS in post.php’ is closed to new replies.

In: Everything else WordPress
4 replies
5 participants
Last reply from: davidhouse
Last activity: 19 years ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics